Real-time collaboration: check wp_user_id before accepting awareness update.

ellatrix · ellatrix · commit a67307b3e435 · 2026-03-05T09:23:42.000Z
Using the built-in HTTP polling sync server, awareness state is accepted and stored after the user is authorized. This state is keyed against their sync client ID, which is randomly generated. However, nothing prevents a user from spoofing another client's client ID, which is discoverable by inspecting network responses. By replaying a sync request with a different client ID, they could temporarily overwrite another client's awareness state. This change prevents this spoofing by storing and checking the user's WordPress user ID to ensure it matches the initial update. Developed in: WordPress/wordpress-develop#11120. Syncs: WordPress/gutenberg#76056. Fixes #64782. Props czarate. Built from https://develop.svn.wordpress.org/trunk@61838 git-svn-id: http://core.svn.wordpress.org/trunk@61125 1a063a9b-81f0-0310-95a4-ce76da25c4cd
diff --git a/wp-includes/collaboration/class-wp-http-polling-sync-server.php b/wp-includes/collaboration/class-wp-http-polling-sync-server.php
@@ -181,10 +181,25 @@ public function check_permissions( WP_REST_Request $request ) {
 			);
 		}
 
-		$rooms = $request['rooms'];
+		$rooms      = $request['rooms'];
+		$wp_user_id = get_current_user_id();
 
 		foreach ( $rooms as $room ) {
-			$room         = $room['room'];
+			$client_id = $room['client_id'];
+			$room      = $room['room'];
+
+			// Check that the client_id is not already owned by another user.
+			$existing_awareness = $this->storage->get_awareness_state( $room );
+			foreach ( $existing_awareness as $entry ) {
+				if ( $client_id === $entry['client_id'] && $wp_user_id !== $entry['wp_user_id'] ) {
+					return new WP_Error(
+						'rest_cannot_edit',
+						__( 'Client ID is already in use by another user.' ),
+						array( 'status' => rest_authorization_required_code() )
+					);
+				}
+			}
+
 			$type_parts   = explode( '/', $room, 2 );
 			$object_parts = explode( ':', $type_parts[1] ?? '', 2 );
 
@@ -346,6 +361,7 @@ private function process_awareness_update( string $room, int $client_id, ?array
 				'client_id'  => $client_id,
 				'state'      => $awareness_update,
 				'updated_at' => $current_time,
+				'wp_user_id' => get_current_user_id(),
 			);
 		}
 
diff --git a/wp-includes/version.php b/wp-includes/version.php
@@ -16,7 +16,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '7.0-beta2-61837';
+$wp_version = '7.0-beta2-61838';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.

Original file line number	Diff line number	Diff line change
`@@ -16,7 +16,7 @@`
`16`	`16`	`*`
`17`	`17`	`* @global string $wp_version`
`18`	`18`	`*/`
`19`		`-$wp_version = '7.0-beta2-61837';`
	`19`	`+$wp_version = '7.0-beta2-61838';`
`20`	`20`
`21`	`21`	`/**`
`22`	`22`	`* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.`