[wp-trac] [WordPress Trac] #40193: wp_ajax_crop_image capability checks too strict
WordPress Trac
noreply at wordpress.org
Sat Mar 18 10:43:42 UTC 2017
#40193: wp_ajax_crop_image capability checks too strict
--------------------------------+-----------------------------
Reporter: Cybr | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Media | Version: trunk
Severity: normal | Keywords:
Focuses: ui, administration |
--------------------------------+-----------------------------
This function `wp_ajax_crop_image()` has two issues, on these two lines:
https://github.com/WordPress/WordPress/blob/62061bab5658386d0bbfbfeb3f89be883fd75ec4
/wp-admin/includes/ajax-actions.php#L3166-L3167
'''Line 3167 (capability):'''
It checks for user capability `customize`.
I believe this should be `upload_files`.
This is because the function has a default handler for `$context`, which
therefore can be used outside of the Customizer feature.
'''Line 3166 (referer):'''
It checks for `image_editor- . $attachment_id` nonce.
This nonce is created only if the user can edit the file.
Because this function creates a new image from the old '''without actually
editing or removing the old image''', this is also too strict.
https://github.com/WordPress/WordPress/blob/62061bab5658386d0bbfbfeb3f89be883fd75ec4
/wp-includes/media.php#L3136-L3140
'''Conclusions:'''
1. The function works neatly outside of the Customizer, aside from the
capability and "referer" restrictions.
2. The function has too strict capabilities.
3. Function `wp_prepare_attachment_for_js` requires an additional nonce
(e.g. `{crop-image-$id}`) based on the `upload_files` capability.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/40193>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list