WordPress.org

Make WordPress Core

Opened 3 years ago

Last modified 9 months ago

#18731 new enhancement

The XML-RPC Endpoint filename is hardcoded in the code (aka: my Host Blocks XML-RPC Access!)

Reported by: daniloercoli Owned by:
Milestone: Future Release Priority: normal
Severity: normal Version: 3.2
Component: XML-RPC Keywords: westi-likes has-patch needs-refresh dev-feedback
Focuses: Cc:

Description

It's impossible to rename the file 'xmlrpc.php' to something different (for eg when your hosting provider blocks the access to the xmlrpc.php file) since the prefix "xmlrpc.php" is hardcoded within the src code. You can rename the file but the XML-RPC call wp.getUsersBlog always returns the hardcoded URL.

Same issue for the pingback link and the EditURI link.

We pubblished a plugin that should help users for the time being:
http://wordpress.org/extend/plugins/rename-xml-rpc/

Change History (18)

comment:1 follow-up: westi3 years ago

  • Keywords westi-likes added
  • Milestone changed from Awaiting Review to Future Release
  • Priority changed from normal to high
  • Severity changed from normal to major
  • Version set to 3.2

I think we should maybe come up with an alternative endpoint name for WordPress in general.

Maybe we could support http://example.com/?xmlrpc=1 and http://example.com/xmlrpc/ as endpoints in core for the rewrite less and rewrite full usecases.

It seems to be common unfortunately for hosts to block the filename xmlrpc.php

comment:2 in reply to: ↑ 1 daniloercoli3 years ago

Maybe we could support http://example.com/?xmlrpc=1 and http://example.com/xmlrpc/ as endpoints in core for the rewrite less and rewrite full usecases.

This would be fine, but probably we should also support http://example.com/?rsd=1 and http://example.com/rsd/ as RSD endpoints in core.

comment:3 josephscott3 years ago

  • Cc josephscott added

If we are going to do this we should probably look at filtering all of the 'xmlrpc.php' values. Perhaps an 'xmlrpc_file_name' filter?

comment:4 nacin3 years ago

We'll probably want to introduce get_xmlrpc_url( $type = '' ), where 'type' can become 'rsd'.

Last edited 3 years ago by nacin (previous) (diff)

comment:5 markoheijnen2 years ago

  • Cc marko@… added

comment:6 ericmann22 months ago

  • Cc eric@… added

comment:7 wonderboymusic20 months ago

  • Keywords has-patch added; needs-patch removed
  • Milestone changed from Future Release to 3.5

Took a stab at this, most of the URLs were obtained using different flavors of site_url().

The only bizarre one was wp_xmlrpc_server::_multisite_getUsersBlogs() which appears to be trying to support a network of many sites which have many blogs. site_url() should work in this scenario as well.

Adds function: get_xmlrpc_url( $type = '' ) which is filtered by 'xmlrpc_url'

comment:8 nacin20 months ago

Actually, I think this can be done a bit easier. There's an rpc "scheme" we pass to site_url() et al, which is used for forcing SSL when SSL login or admin is forced.

We should just always pass 'rpc' as the scheme to site_url(), which essentially means modifying the two instances in class-wp-xmlrpc-server.php. daniloercoli, that should be enough, no?

comment:9 markoheijnen20 months ago

I was even thinking even more difficult then this. I was thinking about moving all the code from xmlrpc.php to somewhere else and make xmlrpc.php to call that code. And then create some kind of endpoint system like /index.php?endpoint=xmlrpc. This way you can even use the rewrite API to have it another name as usual.

Most likely my mind is thinking more difficult but with this we can have added some steps for a RESTFUL or JSON API.

comment:10 bpetty19 months ago

  • Keywords punt added
  • Type changed from defect (bug) to enhancement

Sounds like this feature (not a bug) will likely need to be punted from 3.5 in the interest of further discussion about possible new endpoints.

comment:11 markoheijnen19 months ago

  • Keywords punt removed
  • Milestone changed from 3.5 to Future Release
  • Type changed from enhancement to defect (bug)

This is a bug that does need to be fixed. It can result in an enhancement in a better API for new endpoints.
I did punted for now and hopefully this is something that can be discussed on the summit.

comment:12 nacin19 months ago

  • Type changed from defect (bug) to enhancement

This is not a bug. Allowing the endpoint to be changed is an enhancement.

The "bug" here is that some xmlrpc.php references are missing 'rpc'. I'll be fixing that in 3.5, but the rest of this should be punted.

comment:13 nacin19 months ago

In [22171]:

Reference xmlrpc.php with the 'rpc' site_url() argument to ensure a proper scheme is applied. see #18731.

comment:14 wonderboymusic16 months ago

  • Keywords needs-refresh added

comment:15 wonderboymusic16 months ago

Should 'pingback_url' and the RSD <link> be site_url with rpc scheme as well?

comment:16 Zengy9 months ago

  • Keywords dev-feedback added
  • Severity changed from major to trivial

Pingbacks don't require a login/password or https to work, so I don't think this is a necessary fix.

comment:17 DrewAPicture9 months ago

  • Keywords mobile removed
  • Priority changed from high to normal

comment:18 markoheijnen9 months ago

  • Severity changed from trivial to normal

This has nothing to do with login/password or https.

Note: See TracTickets for help on using tickets.