WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 3 years ago

Last modified 7 weeks ago

#20986 closed defect (bug) (fixed)

xmlrpc.php should return http 405 for get requests (and not 200)

Reported by: rhertzog Owned by: nacin
Milestone: 4.2 Priority: normal
Severity: normal Version:
Component: XML-RPC Keywords: has-patch commit
Focuses: Cc:

Description

$ curl -v http://raphaelhertzog.com/xmlrpc.php
[...]
> GET /xmlrpc.php HTTP/1.1
 
< HTTP/1.1 200 OK
[...]
XML-RPC server accepts POST requests only.

The error returned should be reflected in the HTTP return code: it should return HTTP 405 (Method not allowed) instead of 200 (OK).

This has been originally reported in the Debian bug tracking system: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598124

Attachments (2)

20986.patch (679 bytes) - added by maxcutler 5 years ago.
20986.2.patch (658 bytes) - added by maxcutler 5 years ago.

Download all attachments as: .zip

Change History (13)

#1 @SergeyBiryukov
5 years ago

  • Component changed from General to XML-RPC

@maxcutler
5 years ago

#2 @maxcutler
5 years ago

  • Cc maxcutler added
  • Keywords has-patch added

Added a patch for this. Not sure if this should go in 3.4.x or 3.5, need core dev input.

#3 follow-up: @josephscott
5 years ago

Returning 405 sounds reasonable.

@maxcutler - I don't think we should hard code HTTP 1.1 as the response. Will HTTP 1.0 clients freak out if we do that?

#4 in reply to: ↑ 3 @maxcutler
5 years ago

Replying to josephscott:

@maxcutler - I don't think we should hard code HTTP 1.1 as the response. Will HTTP 1.0 clients freak out if we do that?

Valid question. I was just following examples of similar behavior elsewhere in core.

  • /wp-comments-post.php@L10
  • /wp-includes/class-wp-atom-server.php (multiple)

Maybe there should be a core API for this that is smarter, like found in load.php@L163-168?

#5 @nacin
5 years ago

Maybe there should be a core API for this that is smarter, like found in load.php@L163-168?

We have one — status_header( 405 ); The logic in load.php is simply there because under maintenance mode, we have very little of WordPress loaded.

@maxcutler
5 years ago

#6 @maxcutler
5 years ago

Thanks nacin and sivel. Uploaded a new patch that uses status_header.

#7 @nacin
3 years ago

  • Keywords commit added
  • Milestone changed from Awaiting Review to 4.2

Oops, time to commit this. :)

#8 @nacin
3 years ago

  • Owner set to nacin
  • Resolution set to fixed
  • Status changed from new to closed

In 31004:

XML-RPC: Send 405 Method Not Allowed for GET requests.

props maxcutler.
fixes #20986.

#9 @nacin
3 years ago

I wonder if this will break clients that check for a 200 from GET /xmlrpc.php to see if that URL is accessible. I guess we will find out.

#10 @marcmoore
2 years ago

"I wonder if this will break clients that check for a 200 from GET /xmlrpc.php to see if that URL is accessible. I guess we will find out."

It did - SiteImprove now reports 405 errors for every page in my web site, pretty much negating the value of its report. Sure, you can say that SiteImprove is at fault, yada yada, but this change isn't helping me.

#12 @cchen
21 months ago

This change also disabled the mimic.js, the Xml Rpc Request.send function won't work

Note: See TracTickets for help on using tickets.