REST API: Only check password value in query parameters while checking post permissions.

The `password` property which gets sent as part of a request POST body while setting a post's password should not be checked when calculating post visibility permissions. That value in the request body is intended to update the post, not to authenticate, and may be malformed or an invalid non-string type which would cause a fatal when checking against the hashed post password value. Query parameter `?password=` values are the correct interface to check, and are also guaranteed to be strings. Props mlf20, devansh016, antonvlasenko, TimothyBlynJacobs, kadamwhite. Fixes #61837. git-svn-id: https://develop.svn.wordpress.org/trunk@59036 602fd350-edb4-49c9-b593-d223f7449a82
2025-03-15 09:29:48 +01:00 · 2024-09-17 22:17:41 +00:00 · 2024-09-17 22:17:41 +00:00 · 15b7d2a868
commit 15b7d2a868
parent d3d02c44eb
2 changed files with 47 additions and 2 deletions
--- a/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php
+++ b/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php
@ -504,9 +504,9 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
 			);
 		}

-		if ( $post && ! empty( $request['password'] ) ) {
+		if ( $post && ! empty( $request->get_query_params()['password'] ) ) {
 			// Check post password, and return error if invalid.
-			if ( ! hash_equals( $post->post_password, $request['password'] ) ) {
+			if ( ! hash_equals( $post->post_password, $request->get_query_params()['password'] ) ) {
 				return new WP_Error(
 					'rest_post_incorrect_password',
 					__( 'Incorrect post password.' ),
--- a/tests/phpunit/tests/rest-api/rest-posts-controller.php
+++ b/tests/phpunit/tests/rest-api/rest-posts-controller.php
@ -2232,6 +2232,51 @@ class WP_Test_REST_Posts_Controller extends WP_Test_REST_Post_Type_Controller_Te
 		$this->assertTrue( $data['excerpt']['protected'] );
 	}

+	/**
+	 * @ticket 61837
+	 */
+	public function test_get_item_permissions_check_while_updating_password() {
+		$endpoint = new WP_REST_Posts_Controller( 'post' );
+
+		$request = new WP_REST_Request( 'POST', sprintf( '/wp/v2/posts/%d', self::$post_id ) );
+		$request->set_url_params( array( 'id' => self::$post_id ) );
+		$request->set_body_params(
+			$this->set_post_data(
+				array(
+					'id'       => self::$post_id,
+					'password' => '123',
+				)
+			)
+		);
+		$permission = $endpoint->get_item_permissions_check( $request );
+
+		// Password provided in POST data, should not be used as authentication.
+		$this->assertNotWPError( $permission, 'Password in post body should be ignored by permissions check.' );
+		$this->assertTrue( $permission );
+	}
+
+	/**
+	 * @ticket 61837
+	 */
+	public function test_get_item_permissions_check_while_updating_password_with_invalid_type() {
+		$endpoint = new WP_REST_Posts_Controller( 'post' );
+
+		$request = new WP_REST_Request( 'POST', sprintf( '/wp/v2/posts/%d', self::$post_id ) );
+		$request->set_url_params( array( 'id' => self::$post_id ) );
+		$request->set_body_params(
+			$this->set_post_data(
+				array(
+					'id'       => self::$post_id,
+					'password' => 123,
+				)
+			)
+		);
+		$permission = $endpoint->get_item_permissions_check( $request );
+
+		$this->assertNotWPError( $permission, 'Password in post body should be ignored by permissions check even when it is an invalid type.' );
+		$this->assertTrue( $permission );
+	}
+
 	/**
 	 * The post response should not have `block_version` when in view context.
 	 *