[wp-trac] [WordPress Trac] #16619: XMLRPC authentication bypasses plugins?
WordPress Trac
wp-trac at lists.automattic.com
Wed Feb 23 11:03:19 UTC 2011
#16619: XMLRPC authentication bypasses plugins?
--------------------------+-----------------------------
Reporter: kojix | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: XML-RPC | Version:
Severity: normal | Keywords:
--------------------------+-----------------------------
I'm using the plugin Simple LDAP Authentication to authenticate to my blog
network. The plugin is runing ok on the web authentication, but when
trying the Android App, it fails with the User/password wrong message.
I've set a password for my user into the wp_users table (by default the
plugin sets it as a random value), and using this pwd i can authenticate,
so I think that xmlrpc bypasses the plugin authentication (I've checked it
putting error messages on log on the plugin process, and nothing appears
when accessing via xmlrpc).
In the xmlrpc.php doc, there is the wp_xmlrpc_server::login function,
which performs this call:
$user = wp_authenticate($username, $password);
And on the plugin class definition we have:
function LdapAuthenticationPlugin() {
...
add_action('wp_authenticate', array(&$this, 'authenticate'), 10, 2);
add_filter('check_password', array(&$this, 'override_password_check'),
10, 4);
...
So, I think all should be ok, what makes me think that there could be an
error on xmlrpc
--
Ticket URL: <http://core.trac.wordpress.org/ticket/16619>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list