Make WordPress Core

Opened 13 years ago

Closed 10 years ago

Last modified 7 years ago

#20986 closed defect (bug) (fixed)

xmlrpc.php should return http 405 for get requests (and not 200)

Reported by: rhertzog's profile rhertzog Owned by: nacin's profile nacin
Milestone: 4.2 Priority: normal
Severity: normal Version:
Component: XML-RPC Keywords: has-patch commit
Focuses: Cc:

Description

$ curl -v http://raphaelhertzog.com/xmlrpc.php
[...]
> GET /xmlrpc.php HTTP/1.1
 
< HTTP/1.1 200 OK
[...]
XML-RPC server accepts POST requests only.

The error returned should be reflected in the HTTP return code: it should return HTTP 405 (Method not allowed) instead of 200 (OK).

This has been originally reported in the Debian bug tracking system: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598124

Attachments (2)

20986.patch (679 bytes) - added by maxcutler 13 years ago.
20986.2.patch (658 bytes) - added by maxcutler 12 years ago.

Download all attachments as: .zip

Change History (13)

#1 @SergeyBiryukov
13 years ago

  • Component changed from General to XML-RPC

@maxcutler
13 years ago

#2 @maxcutler
13 years ago

  • Cc maxcutler added
  • Keywords has-patch added

Added a patch for this. Not sure if this should go in 3.4.x or 3.5, need core dev input.

#3 follow-up: @josephscott
12 years ago

Returning 405 sounds reasonable.

@maxcutler - I don't think we should hard code HTTP 1.1 as the response. Will HTTP 1.0 clients freak out if we do that?

#4 in reply to: ↑ 3 @maxcutler
12 years ago

Replying to josephscott:

@maxcutler - I don't think we should hard code HTTP 1.1 as the response. Will HTTP 1.0 clients freak out if we do that?

Valid question. I was just following examples of similar behavior elsewhere in core.

  • /wp-comments-post.php@L10
  • /wp-includes/class-wp-atom-server.php (multiple)

Maybe there should be a core API for this that is smarter, like found in load.php@L163-168?

#5 @nacin
12 years ago

Maybe there should be a core API for this that is smarter, like found in load.php@L163-168?

We have one — status_header( 405 ); The logic in load.php is simply there because under maintenance mode, we have very little of WordPress loaded.

@maxcutler
12 years ago

#6 @maxcutler
12 years ago

Thanks nacin and sivel. Uploaded a new patch that uses status_header.

#7 @nacin
10 years ago

  • Keywords commit added
  • Milestone changed from Awaiting Review to 4.2

Oops, time to commit this. :)

#8 @nacin
10 years ago

  • Owner set to nacin
  • Resolution set to fixed
  • Status changed from new to closed

In 31004:

XML-RPC: Send 405 Method Not Allowed for GET requests.

props maxcutler.
fixes #20986.

#9 @nacin
10 years ago

I wonder if this will break clients that check for a 200 from GET /xmlrpc.php to see if that URL is accessible. I guess we will find out.

#10 @marcmoore
10 years ago

"I wonder if this will break clients that check for a 200 from GET /xmlrpc.php to see if that URL is accessible. I guess we will find out."

It did - SiteImprove now reports 405 errors for every page in my web site, pretty much negating the value of its report. Sure, you can say that SiteImprove is at fault, yada yada, but this change isn't helping me.

#12 @cchen
9 years ago

This change also disabled the mimic.js, the Xml Rpc Request.send function won't work

Note: See TracTickets for help on using tickets.