[wp-trac] [WordPress Trac] #17850: XMLRPC API Clients can't edit underscore-prefixed custom fields
WordPress Trac
wp-trac at lists.automattic.com
Thu Jun 23 18:43:46 UTC 2011
#17850: XMLRPC API Clients can't edit underscore-prefixed custom fields
------------------------------+--------------------
Reporter: redsweater | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 3.1.4
Component: General | Version: 3.1.3
Severity: normal | Resolution:
Keywords: mobile has-patch |
------------------------------+--------------------
Comment (by ryan):
That patch is not even close to finished. It is just a proof-of-concept
along one code path. I think this is too much for 3.2. I suggest doing
this early in 3.3, letting it soak a bit, and then back porting to 3.2.1.
A survey of a few plugin authors indicates the expectation is that
underscore prefixed meta keys should not be editable by xml-rpc.
Hopefully this means not too many will be hampered by these remaning
protected awhile longer.
In conclusion, opening up underscore meta without introducing some cap and
sanitize hooks is just opening the security hole back up, whether it be
for protected core meta or protected plugin meta. Since registering cap
and sanitize hooks is too big an undertaking for 3.2, I suggest punting
to 3.3.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/17850#comment:19>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list