Dev news

Commit c418ba0205 for wordpress.org

commit c418ba020581dbb148f7a907453439bf3483a340
Author: K. Adam White <kadamwhite@gmail.com>
Date:   Tue Sep 17 22:19:14 2024 +0000

    REST API: Only check password value in query parameters while checking post permissions.

    The `password` property which gets sent as part of a request POST body while setting a post's password should not be checked when calculating post visibility permissions.

    That value in the request body is intended to update the post, not to authenticate, and may be malformed or an invalid non-string type which would cause a fatal when checking against the hashed post password value.

    Query parameter `?password=` values are the correct interface to check, and are also guaranteed to be strings.

    Props mlf20, devansh016, antonvlasenko, TimothyBlynJacobs, kadamwhite.
    Fixes #61837.


    Built from https://develop.svn.wordpress.org/trunk@59036


    git-svn-id: http://core.svn.wordpress.org/trunk@58432 1a063a9b-81f0-0310-95a4-ce76da25c4cd

diff --git a/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php b/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php
index 11bc499fc6..8aec375bc8 100644
--- a/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php
+++ b/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php
@@ -504,9 +504,9 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
 			);
 		}

-		if ( $post && ! empty( $request['password'] ) ) {
+		if ( $post && ! empty( $request->get_query_params()['password'] ) ) {
 			// Check post password, and return error if invalid.
-			if ( ! hash_equals( $post->post_password, $request['password'] ) ) {
+			if ( ! hash_equals( $post->post_password, $request->get_query_params()['password'] ) ) {
 				return new WP_Error(
 					'rest_post_incorrect_password',
 					__( 'Incorrect post password.' ),
diff --git a/wp-includes/version.php b/wp-includes/version.php
index 83add0524b..22ef0ce46a 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -16,7 +16,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '6.7-alpha-59035';
+$wp_version = '6.7-alpha-59036';

 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.