WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 4 years ago

#10330 closed enhancement (fixed)

XML-RPC and AtomPub Endpoints Should Respect FORCE_SSL_ADMIN and FORCE_SSL_LOGIN

Reported by: josephscott Owned by: josephscott
Milestone: 2.8.1 Priority: normal
Severity: normal Version: 2.8
Component: XML-RPC Keywords: has-patch
Focuses: Cc:

Description

External APIs (XML-RPC and AtomPub) should force SSL access if FORCE_SSL_ADMIN or FORCE_SSL_LOGIN is set to true.

I think it makes sense to redirect to HTTPS if either FORCE_SSL_ADMIN or FORCE_SSL_ADMIN is set to true since both end points pass usernames and passwords in the clear (or near clear in the case of AtomPub which generally uses HTTP Basic Auth) and expose administrative functions.

I've got patches for -trunk and the 2.8 branch in hopes that we can get this included in the 2.8.1 release as well.

Attachments (4)

xmlrpc.php.diff (794 bytes) - added by josephscott 5 years ago.
wp-app.php.diff (796 bytes) - added by josephscott 5 years ago.
xmlrpc.php-2.8-branch.diff (2.1 KB) - added by josephscott 5 years ago.
This includes site_url() changes for the admin context from rev 11679
10330.diff (2.2 KB) - added by ryan 5 years ago.
Add 'rpc' context to siteurl which obeys ADMIN and LOGIN forced SSL

Download all attachments as: .zip

Change History (11)

josephscott5 years ago

josephscott5 years ago

josephscott5 years ago

This includes site_url() changes for the admin context from rev 11679

comment:1 josephscott5 years ago

The wp-app.php.diff for -trunk should work on the 2.8 branch as well.

comment:2 Denis-de-Bernardy5 years ago

If a POST request gets redirected, won't it lose the POST data?

comment:3 josephscott5 years ago

The redirect itself won't provide the POST data, so it will be up to the client to re-send the POST data to the HTTPS address provided in the redirect.

Under normal conditions that redirect will never be needed, since clients should be using the API link in the RSD, which will indicate HTTPS when FORCE_SSL_ADMIN is set.

ryan5 years ago

Add 'rpc' context to siteurl which obeys ADMIN and LOGIN forced SSL

comment:4 josephscott5 years ago

Confirmed that Ryan's 10330.diff works as expected.

After thinking about this more I think that we should hold off on the forcing redirects for 2.9 and put in the 10330.diff for 2.8.1.

comment:5 ryan5 years ago

(In [11686]) Add 'rpc' context to siteurl which obeys ADMIN and LOGIN forced SSL. see #10330

comment:6 ryan5 years ago

(In [11687]) Add 'rpc' context to siteurl which obeys ADMIN and LOGIN forced SSL. see #10330 for 2.8.1

comment:7 ryan4 years ago

  • Milestone changed from 2.9 to 2.8.1
  • Resolution set to fixed
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.