WordPress.org

Make WordPress Core

Opened 7 years ago

Closed 6 years ago

#27447 closed defect (bug) (fixed)

'XML-RPC server accepts POST requests only.' returned by xml-rpc.php while doing_wp_cron.

Reported by: sduval Owned by: wonderboymusic
Milestone: 4.4 Priority: normal
Severity: normal Version: 3.8.1
Component: XML-RPC Keywords: has-patch
Focuses: Cc:

Description

While using ALTERNATE_WP_CRON, there is a redirect to a modified url including doing_wp_cron whenever a cron must be performed.

A condition prevents the redirection from happening on POST, but when an xmlrpc is posted, the guard (!empty($_POST)) fails to prevent the redirection because the content does not get parsed into $_POST.

In cron.php, spawn_cron, I propose replacing

function spawn_cron( $gmt_time = 0 ) {
...
	if ( defined('ALTERNATE_WP_CRON') && ALTERNATE_WP_CRON ) {
                      
		if ( !empty($_POST) || defined('DOING_AJAX') )
                    return;

by

function spawn_cron( $gmt_time = 0 ) {
...
	if ( defined('ALTERNATE_WP_CRON') && ALTERNATE_WP_CRON ) {
                      
		if ( 'POST' == $_SERVER['REQUEST_METHOD'] || defined('DOING_AJAX') )
                    return;

Attachments (3)

27447.diff (538 bytes) - added by markoheijnen 7 years ago.
27447.2.diff (604 bytes) - added by markoheijnen 7 years ago.
27447.3.diff (505 bytes) - added by johnbillion 6 years ago.

Download all attachments as: .zip

Change History (13)

@markoheijnen
7 years ago

#1 @markoheijnen
7 years ago

  • Milestone changed from Awaiting Review to 4.1

Sorry for the late response. I'm unsure why you would have seen it. Added a check when using XML-RPC which would also prevent issues when using JSON REST API.

Moving to 4.1.

#2 @SergeyBiryukov
7 years ago

  • Owner set to SergeyBiryukov
  • Resolution set to fixed
  • Status changed from new to closed

In 29732:

Skip ALTERNATE_WP_CRON redirect when performing XML-RPC requests.

props markoheijnen.
fixes #27447.

#3 @nacin
7 years ago

  • Resolution fixed deleted
  • Status changed from closed to reopened

I think switching to SERVER_METHOD is probably a bit better here. $_POST is fine when we want to be naïve, but this case shows we need to expect that people will sometimes use raw POST data. php://input isn't re-readable until PHP 5.6 and that's overkill anyway. If we're receiving POST data, then it has to be a POST method. (The reverse isn't true: you can still receive query variables that get parsed into $_GET in a POST request.)

Checking XMLRPC_REQUEST is fine, but we should probably do a direct method check instead.

#4 @rmccue
7 years ago

Agreed on changing this, but I'd probably just make it filterable instead. The REST API sets XMLRPC_REQUEST right now for compatibility, but I could see that disappearing in the future.

@markoheijnen
7 years ago

#5 @markoheijnen
7 years ago

  • Keywords has-patch added

Totally forgot about raw POST data. Included a new patch that fixes it and includes a filter.

#6 @SergeyBiryukov
7 years ago

If we switch to 'POST' != $_SERVER['REQUEST_METHOD'], do we still need the other checks and the filter?

@johnbillion
6 years ago

#7 @johnbillion
6 years ago

  • Keywords needs-docs added
  • Milestone changed from 4.1 to Future Release

I think we should explicitly check for a GET method here to also avoid doing redirects with methods such as PUT, DELETE, etc.

Patch attached.

#8 @johnbillion
6 years ago

  • Keywords needs-docs removed

#9 @wonderboymusic
6 years ago

  • Milestone changed from Future Release to 4.4
  • Owner changed from SergeyBiryukov to wonderboymusic
  • Status changed from reopened to assigned

#10 @wonderboymusic
6 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 34576:

Cron: In spawn_cron(), when using ALTERNATE_WP_CRON, return early for any non-GET, instead of naively checking ! empty( $_POST ).

Props johnbillion, markoheijnen.
Fixes #27447.

Note: See TracTickets for help on using tickets.