[wp-trac] [WordPress Trac] #61837: REST API: Uncaught TypeError when post password is provided as integer

WordPress Trac noreply at wordpress.org
Tue Sep 17 22:17:59 UTC 2024


#61837: REST API: Uncaught TypeError when post password is provided as integer
--------------------------------------+------------------------------
 Reporter:  mlf20                     |       Owner:  kadamwhite
     Type:  defect (bug)              |      Status:  closed
 Priority:  normal                    |   Milestone:  Awaiting Review
Component:  REST API                  |     Version:  6.2.2
 Severity:  normal                    |  Resolution:  fixed
 Keywords:  has-patch has-unit-tests  |     Focuses:  rest-api
--------------------------------------+------------------------------
Changes (by kadamwhite):

 * status:  accepted => closed
 * resolution:   => fixed


Comment:

 In [changeset:"59036" 59036]:
 {{{
 #!CommitTicketReference repository="" revision="59036"
 REST API: Only check password value in query parameters while checking
 post permissions.

 The `password` property which gets sent as part of a request POST body
 while setting a post's password should not be checked when calculating
 post visibility permissions.

 That value in the request body is intended to update the post, not to
 authenticate, and may be malformed or an invalid non-string type which
 would cause a fatal when checking against the hashed post password value.

 Query parameter `?password=` values are the correct interface to check,
 and are also guaranteed to be strings.

 Props mlf20, devansh016, antonvlasenko, TimothyBlynJacobs, kadamwhite.
 Fixes #61837.
 }}}

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/61837#comment:9>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list