[wp-trac] [WordPress Trac] #46748: authenticate filter hook does not behave as expected for priority values less than 20

WordPress Trac noreply at wordpress.org
Mon Apr 1 12:33:38 UTC 2019 

#46748: authenticate filter hook does not behave as expected for priority values
less than 20
------------------------------------+-----------------------------
 Reporter:  robert.peake            |      Owner:  (none)
     Type:  defect (bug)            |     Status:  new
 Priority:  normal                  |  Milestone:  Awaiting Review
Component:  Login and Registration  |    Version:
 Severity:  normal                  |   Keywords:
  Focuses:                          |
------------------------------------+-----------------------------
 Returning null or a WP_Error object from functions bound to the
 [https://codex.wordpress.org/Plugin_API/Filter_Reference/authenticate
 authenticate] filter at priority values less than 20 does not prohibit a
 user from logging in.

 Consider the following snippet:

 {{{#!php
 <?php
 <?php
 /*
 Plugin Name: Prohibit Login
 Description: Proves that the authenticate filter does not work as expected
 with lower priority
 Author: Robert Peake
 Version: 0.1
 */

 function prohibit_login($user_or_email, $username = null, $password =
 null) {
     return new WP_Error('authentication_failed','Prohibit Login plugin
 prohibited login');
 }
 add_filter('authenticate', 'prohibit_login', 20, 3);
 }}}

 This code when activated as a plugin prohibits an admin user from logging
 in using wp-login.php and displays the message "Prohibit Login plugin
 prohibited login" as expected.

 Changing the value from 20 to e.g. 19 on the final line does not prohibit
 an admin user from logging in using wp-login.php. No message is displayed,
 and the login proceeds.

 (Note: this has been tested with all other plugins deactivated with the
 Twentynineteen theme using the latest nightly build.)

 While this is not a security problem in itself, because it is undocumented
 behaviour it could lead to security issues in plugins where an author
 assumes that, like other filter hooks, e.g. the default priority of 10 can
 be explicitly stated without side-effects.

 For this reason, I initially [https://hackerone.com/reports/519283
 submitted a ticket on the HackerOne platform] just to be sure, but the
 ticket was closed as being a "hypothetical" vulnerability with out a
 "clear PoC", so I am filing this bug report instead.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/46748>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list