WordPress.org

Make WordPress Core

Opened 11 years ago

Closed 10 years ago

#16402 closed defect (bug) (fixed)

IXR client doesn't properly handle XMLRPC over HTTPS

Reported by: bryanmaupin Owned by: westi
Milestone: 3.2 Priority: normal
Severity: major Version: 3.0
Component: XML-RPC Keywords: has-patch needs-testing
Focuses: Cc:

Description

There are two problems with the IXR XMLRPC client:

  1. The current IXR client code defaults to port 80, and isn't smart enough to know the port should be 443 if an https URL is sent.
  1. The IXR client doesn't create an SSL connection even if the port is 443.

I first noticed this because we're using an apache redirect to redirect XMLRPC requests to SSL (except the RSD) to avoid sending passwords in clear text. Some clients (like windows live writer) use the blogger API instead of the wp API for wp sites. For wp multisite, blogger_getUsersBlogs() calls _multisite_getUsersBlogs(), which creates a new IXR XMLRPC client. But _multisite_getUsersBlogs() doesn't send a port number with the URL, so the IXR client defaults to port 80 (problem #1). Even if _multisite_getUsersBlogs() sent a port, the IXR client connection wouldn't be SSL (problem #2).

I'm also going to look into submitting this upstream.

Attachments (3)

class-IXR.php.diff (1013 bytes) - added by bryanmaupin 11 years ago.
patch for r17369
16402.diff (912 bytes) - added by garyc40 11 years ago.
fix WP_HTTP_IXR_Client
16402.2.diff (1.3 KB) - added by mdawaffe 11 years ago.

Download all attachments as: .zip

Change History (16)

@bryanmaupin
11 years ago

patch for r17369

#1 @dd32
11 years ago

WordPress has it's own version of the client: http://core.trac.wordpress.org/browser/trunk/wp-includes/class-wp-http-ixr-client.php that should be used in preference to the IXR_Client base class, as it can handle server configurations and proxy servers better.

Unfortunately, It looks like that may also be affected by this, given it hard codes port 80 if it's not specified.

#2 @dd32
11 years ago

(Of course, this is only for 3.1+ #10588)

@garyc40
11 years ago

fix WP_HTTP_IXR_Client

#3 @garyc40
11 years ago

  • Keywords has-patch needs-testing added; xmlrpc ssl https removed

@bryanmaupin : could you test the patch I just attached? It modifies WP_HTTP_IXR_Client instead of IXR_Client

#4 @westi
11 years ago

  • Owner set to westi
  • Status changed from new to accepted

#5 @nacin
11 years ago

  • Version changed from 3.1 to 3.0

Moving version to 3.0 as this would not be a regression.

#6 @mdawaffe
11 years ago

There's no need to change the scheme to "ssl://". wp_remote_post() handles all of that internally when it needs to.

Additionally, we should just let wp_remote_post() (or the underlying transports) handle the default ports for the given scheme.

Patch attached.

@mdawaffe
11 years ago

#7 @mdawaffe
11 years ago

  • Cc mdawaffe added

#8 @ryan
10 years ago

  • Milestone changed from Awaiting Review to 3.2

#9 @nacin
10 years ago

Looks good here.

#10 @ryan
10 years ago

  • Resolution set to fixed
  • Status changed from accepted to closed

In [17811]:

Properly handle https in ixr client. Props mdawaffe. fixes #16402

#11 follow-up: @Michael_K
10 years ago

  • Resolution fixed deleted
  • Severity changed from normal to major
  • Status changed from closed to reopened

It appears that this issue is still there in WordPress 3.2:

  • The XMLRPC-code still uses the IXR-client instead of the WP-HTTP-IXR-Client, so the patch appears to have not been applied.
  • Testing WordPress 3.2 in an environment with multi-site and SSL (plus a DMZ that also uses SSL) still fails.
  • Replacing IXR-Client with WP-HTTP-IXR-Client still does not get this working.

Please, see also #17541 for additional information.

Michael

#12 @Michael_K
10 years ago

  • Cc Michael_K added

#13 in reply to: ↑ 11 @westi
10 years ago

  • Resolution set to fixed
  • Status changed from reopened to closed

Replying to Michael_K:

It appears that this issue is still there in WordPress 3.2:

  • The XMLRPC-code still uses the IXR-client instead of the WP-HTTP-IXR-Client, so the patch appears to have not been applied.
  • Testing WordPress 3.2 in an environment with multi-site and SSL (plus a DMZ that also uses SSL) still fails.
  • Replacing IXR-Client with WP-HTTP-IXR-Client still does not get this working.

Please, see also #17541 for additional information.

Lets use #17541 to track this and re-close this ticket.

Note: See TracTickets for help on using tickets.