Opened 11 months ago
Last modified 11 months ago
#20986 new defect (bug)
xmlrpc.php should return http 405 for get requests (and not 200)
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | Awaiting Review |
| Component: | XML-RPC | Version: | |
| Severity: | normal | Keywords: | has-patch |
| Cc: | maxcutler |
Description
$ curl -v http://raphaelhertzog.com/xmlrpc.php [...] > GET /xmlrpc.php HTTP/1.1 < HTTP/1.1 200 OK [...] XML-RPC server accepts POST requests only.
The error returned should be reflected in the HTTP return code: it should return HTTP 405 (Method not allowed) instead of 200 (OK).
This has been originally reported in the Debian bug tracking system: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598124
Attachments (2)
Change History (8)
comment:1
SergeyBiryukov — 11 months ago
- Component changed from General to XML-RPC
comment:3
follow-up:
↓ 4
josephscott — 11 months ago
Returning 405 sounds reasonable.
@maxcutler - I don't think we should hard code HTTP 1.1 as the response. Will HTTP 1.0 clients freak out if we do that?
Replying to josephscott:
@maxcutler - I don't think we should hard code HTTP 1.1 as the response. Will HTTP 1.0 clients freak out if we do that?
Valid question. I was just following examples of similar behavior elsewhere in core.
- /wp-comments-post.php@L10
- /wp-includes/class-wp-atom-server.php (multiple)
Maybe there should be a core API for this that is smarter, like found in load.php@L163-168?
Maybe there should be a core API for this that is smarter, like found in load.php@L163-168?
We have one — status_header( 405 ); The logic in load.php is simply there because under maintenance mode, we have very little of WordPress loaded.
Added a patch for this. Not sure if this should go in 3.4.x or 3.5, need core dev input.