[wp-trac] [WordPress Trac] #53386: Multisite is_super_admin call during app password validation can lead to infinite loop
WordPress Trac
noreply at wordpress.org
Fri Jun 11 18:36:19 UTC 2021
#53386: Multisite is_super_admin call during app password validation can lead to
infinite loop
-----------------------------------+-----------------------------
Reporter: chrisvanpatten | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Application Passwords | Version:
Severity: normal | Keywords:
Focuses: |
-----------------------------------+-----------------------------
In multisite, the following code sample leads to an infinite loop when
validating an application password:
{{{#!php
<?php
\add_filter(
'wp_is_application_passwords_available_for_user',
fn( bool $available, \WP_User $user ): bool => user_can( $user,
'app_password_cap' ),
10,
2,
);
}}}
This is because, in multisite, the `user_can` call leads to an
`is_super_admin` call, which in turn leads to a `wp_get_current_user` call
which ultimately triggers
`wp_is_application_passwords_available_for_user`… starting the whole
process over again.
(Worth noting that a very similar example to the above is included in the
[https://make.wordpress.org/core/2020/11/05/application-passwords-
integration-guide/ Application Passwords Integration Guide], so this use-
case should be a supported one. For anyone who encounters this, a
workaround is to remove your hook before you call `user_can`, and add it
back after.)
--
Ticket URL: <https://core.trac.wordpress.org/ticket/53386>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list