[wp-trac] [WordPress Trac] #17850: XMLRPC API Clients can't edit underscore-prefixed custom fields
WordPress Trac
wp-trac at lists.automattic.com
Thu Jul 21 17:07:20 UTC 2011
#17850: XMLRPC API Clients can't edit underscore-prefixed custom fields
---------------------------------------------+-----------------------
Reporter: redsweater | Owner: ryan
Type: defect (bug) | Status: reopened
Priority: normal | Milestone: 3.3
Component: General | Version: 3.1.3
Severity: normal | Resolution:
Keywords: mobile has-patch 3.3-early punt |
---------------------------------------------+-----------------------
Changes (by xknown):
* status: closed => reopened
* resolution: fixed =>
Comment:
I think I miss the party :)
Currently this protection can be easily bypassed in two different ways
using the ajax or xmlrpc api. I am able for example to add the
{{{_wp_attached_file}}} meta to some post. I describe the steps to
reproduce the problems using the ajax api.
- Create a new meta key, for example "foo" using the post editor. Then,
rename this meta key to {{{_wp_attached_file}}}.
- Create a new meta with the following key {{{\_wp_attached_file}}}. The
stripslashes function is called to times when adding creating a new meta
with the {{{add_meta}}} function.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/17850#comment:29>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list