[wp-trac] [WordPress Trac] #50075: Trigger _doing_it_wrong for dangerous REST API endpoint option
WordPress Trac
noreply at wordpress.org
Fri Jul 17 03:06:01 UTC 2020
#50075: Trigger _doing_it_wrong for dangerous REST API endpoint option
--------------------------------------+---------------------
Reporter: rmccue | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: 5.5
Component: REST API | Version: 4.4
Severity: normal | Resolution:
Keywords: has-patch has-unit-tests | Focuses:
--------------------------------------+---------------------
Comment (by TimothyBlynJacobs):
I think it makes the most sense to add the notice if the
`permission_callback` is missing at all. We've seen multiple examples of
that issue in the wild and it can be a pretty bad vulnerability when it
happens.
Looking for `permissions_callback` specifically would work for one
misspelling, but others are easy as well.
The notice would be annoying for people who are intentionally omitting a
permission callback, but adding a `__return_true` is a quite simple fix.
Chatted about this with @SergeyBiryukov, we also have precedent for this
kind of thing in Core with the notices added in `map_meta_cap` if the
object's type isn't registered. That behavior isn't necessarily unsafe,
but Core can't be sure, and so it is safer to add a notice.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/50075#comment:10>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list