[wp-trac] [WordPress Trac] #53242: Potential private information leak in REST API doing it wrong
WordPress Trac
noreply at wordpress.org
Fri May 21 01:40:07 UTC 2021
#53242: Potential private information leak in REST API doing it wrong
-----------------------------+-----------------------------
Reporter: anubisthejackle | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: REST API | Version:
Severity: normal | Keywords:
Focuses: rest-api |
-----------------------------+-----------------------------
In the REST API, when I set `show_in_index` to false, I expect that
endpoint to not be shown to people without knowledge of it.
The problem is, if that endpoint does not have `permission_callback`
setup, then `\rest_handle_doing_it_wrong` can leak the existence of that
endpoint in the header if WP_DEBUG has been set.
I would expect one of two things to happen, either:
A) I only receive the `X-WP-DoingItWrong` header for the endpoint that I'm
accessing; or
B) I only receive the `X-WP-DoingItWrong` header for endpoints that are
visible in `show_in_index`, or accessed directly.
I'm partial to the former.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/53242>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list