WordPress.org

Make WordPress Core

Opened 23 months ago

Last modified 22 months ago

#20986 new defect (bug)

xmlrpc.php should return http 405 for get requests (and not 200)

Reported by: rhertzog Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: XML-RPC Keywords: has-patch
Focuses: Cc:

Description

$ curl -v http://raphaelhertzog.com/xmlrpc.php
[...]
> GET /xmlrpc.php HTTP/1.1
 
< HTTP/1.1 200 OK
[...]
XML-RPC server accepts POST requests only.

The error returned should be reflected in the HTTP return code: it should return HTTP 405 (Method not allowed) instead of 200 (OK).

This has been originally reported in the Debian bug tracking system: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598124

Attachments (2)

20986.patch (679 bytes) - added by maxcutler 23 months ago.
20986.2.patch (658 bytes) - added by maxcutler 22 months ago.

Download all attachments as: .zip

Change History (8)

comment:1 SergeyBiryukov23 months ago

  • Component changed from General to XML-RPC

maxcutler23 months ago

comment:2 maxcutler23 months ago

  • Cc maxcutler added
  • Keywords has-patch added

Added a patch for this. Not sure if this should go in 3.4.x or 3.5, need core dev input.

comment:3 follow-up: josephscott22 months ago

Returning 405 sounds reasonable.

@maxcutler - I don't think we should hard code HTTP 1.1 as the response. Will HTTP 1.0 clients freak out if we do that?

comment:4 in reply to: ↑ 3 maxcutler22 months ago

Replying to josephscott:

@maxcutler - I don't think we should hard code HTTP 1.1 as the response. Will HTTP 1.0 clients freak out if we do that?

Valid question. I was just following examples of similar behavior elsewhere in core.

  • /wp-comments-post.php@L10
  • /wp-includes/class-wp-atom-server.php (multiple)

Maybe there should be a core API for this that is smarter, like found in load.php@L163-168?

comment:5 nacin22 months ago

Maybe there should be a core API for this that is smarter, like found in load.php@L163-168?

We have one — status_header( 405 ); The logic in load.php is simply there because under maintenance mode, we have very little of WordPress loaded.

maxcutler22 months ago

comment:6 maxcutler22 months ago

Thanks nacin and sivel. Uploaded a new patch that uses status_header.

Note: See TracTickets for help on using tickets.