#20986 closed defect (bug) (fixed)
xmlrpc.php should return http 405 for get requests (and not 200)
Reported by: | rhertzog | Owned by: | nacin |
---|---|---|---|
Milestone: | 4.2 | Priority: | normal |
Severity: | normal | Version: | |
Component: | XML-RPC | Keywords: | has-patch commit |
Focuses: | Cc: |
Description
$ curl -v http://raphaelhertzog.com/xmlrpc.php [...] > GET /xmlrpc.php HTTP/1.1 < HTTP/1.1 200 OK [...] XML-RPC server accepts POST requests only.
The error returned should be reflected in the HTTP return code: it should return HTTP 405 (Method not allowed) instead of 200 (OK).
This has been originally reported in the Debian bug tracking system: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598124
Attachments (2)
Change History (13)
#3
follow-up:
↓ 4
@
12 years ago
Returning 405 sounds reasonable.
@maxcutler - I don't think we should hard code HTTP 1.1 as the response. Will HTTP 1.0 clients freak out if we do that?
#4
in reply to:
↑ 3
@
12 years ago
Replying to josephscott:
@maxcutler - I don't think we should hard code HTTP 1.1 as the response. Will HTTP 1.0 clients freak out if we do that?
Valid question. I was just following examples of similar behavior elsewhere in core.
- /wp-comments-post.php@L10
- /wp-includes/class-wp-atom-server.php (multiple)
Maybe there should be a core API for this that is smarter, like found in load.php@L163-168?
#5
@
12 years ago
Maybe there should be a core API for this that is smarter, like found in load.php@L163-168?
We have one — status_header( 405 );
The logic in load.php is simply there because under maintenance mode, we have very little of WordPress loaded.
#7
@
10 years ago
- Keywords commit added
- Milestone changed from Awaiting Review to 4.2
Oops, time to commit this. :)
#8
@
10 years ago
- Owner set to nacin
- Resolution set to fixed
- Status changed from new to closed
In 31004:
#9
@
10 years ago
I wonder if this will break clients that check for a 200 from GET /xmlrpc.php to see if that URL is accessible. I guess we will find out.
#10
@
10 years ago
"I wonder if this will break clients that check for a 200 from GET /xmlrpc.php to see if that URL is accessible. I guess we will find out."
It did - SiteImprove now reports 405 errors for every page in my web site, pretty much negating the value of its report. Sure, you can say that SiteImprove is at fault, yada yada, but this change isn't helping me.
Added a patch for this. Not sure if this should go in 3.4.x or 3.5, need core dev input.