invis.net

Bug in trigger for Block User Enumeration

Hello and congratulations on this new forum.
I am not sure if bug reports belong in this category. Please move it around as needed.

I am encountering a bug relating to Block User Enumeration.

Using
WordPress 5.3.2 with Gutenberg
WP Fail2ban 4.2.7.1
Windows & Mac, Chrome & Firefox

Logs

When a non-admin creates a new post, which starts up Gutenberg, one of the requests triggers Blocked user enumeration attempt. I could reproduce this on different servers and in different browsers, so I am quite sure it has to do with the way _log_bail_user_enum() works. Here are the logs.

Nginx access.log
A single request shows a non-200 status code, namely 403 Forbidden.

IP.IP.IP.IP - - [09/Apr/2020:16:59:25 +0200] "GET /wp-json/wp/v2/users/?who=authors&per_page=100&lang=fr&_locale=user HTTP/2.0" 403 98 "https://example.com/wp/wp-admin/post-new.php?post_type=page" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:74.0) Gecko/20100101 Firefox/74.0" "-"

auth.log

Apr  9 16:59:08 example wordpress(example.com)[18498]: Accepted password for editor from IP.IP.IP.IP
Apr  9 16:59:25 example wordpress(example.com)[18498]: Blocked user enumeration attempt from IP.IP.IP.IP

fail2ban.log:

2020-04-09 16:59:26,177 fail2ban.filter         [2217]: INFO    [wordpress-hard] Found IP.IP.IP.IP - 2020-04-09 16:59:25
2020-04-09 16:59:26,282 fail2ban.actions        [2217]: NOTICE  [wordpress-hard] Ban IP.IP.IP.IP

Problem

As I understand it, the errors comes from /wp-json/wp/v2/users/?who=authors triggering WP Fail2ban even when it comes from a logged-in non-admin.
Indeed, it does not happen for admins. As such, as a temporary fix, I changed the user (which I trust entirely) from Editor role to Administrator role and they could publish again.
But, switching other people to Administrator is not an option.

Getting user enumeration blocking to work properly with Gutenberg has been a bit annoying; I fixed it in 4.3.0 and I’d not planned on back-porting that to 4.2.x, but on second thoughts I may as well.

If you change line 89 of user-enum.php from:

if (!current_user_can('list_users')) {

to

if (!current_user_can('edit_others_posts')) {

can you confirm that it now works?

Thank you for the patch. I will try it out and get back to you.

Yes, that does solve the bug.
Thank you!