IXR client doesn't properly handle XMLRPC over HTTPS
|Reported by:||bryanmaupin||Owned by:||westi|
There are two problems with the IXR XMLRPC client:
- The current IXR client code defaults to port 80, and isn't smart enough to know the port should be 443 if an https URL is sent.
- The IXR client doesn't create an SSL connection even if the port is 443.
I first noticed this because we're using an apache redirect to redirect XMLRPC requests to SSL (except the RSD) to avoid sending passwords in clear text. Some clients (like windows live writer) use the blogger API instead of the wp API for wp sites. For wp multisite, blogger_getUsersBlogs() calls _multisite_getUsersBlogs(), which creates a new IXR XMLRPC client. But _multisite_getUsersBlogs() doesn't send a port number with the URL, so the IXR client defaults to port 80 (problem #1). Even if _multisite_getUsersBlogs() sent a port, the IXR client connection wouldn't be SSL (problem #2).
I'm also going to look into submitting this upstream.
Change History (16)
- Resolution fixed deleted
- Severity changed from normal to major
- Status changed from closed to reopened