'XML-RPC server accepts POST requests only.' returned by xml-rpc.php while doing_wp_cron.

[sduval]

While using ALTERNATE_WP_CRON, there is a redirect to a modified url including doing_wp_cron whenever a cron must be performed.

A condition prevents the redirection from happening on POST, but when an xmlrpc is posted, the guard (!empty($_POST)) fails to prevent the redirection because the content does not get parsed into $_POST.

In cron.php, spawn_cron, I propose replacing

function spawn_cron( $gmt_time = 0 ) {
...
	if ( defined('ALTERNATE_WP_CRON') && ALTERNATE_WP_CRON ) {
                      
		if ( !empty($_POST) || defined('DOING_AJAX') )
                    return;

by

function spawn_cron( $gmt_time = 0 ) {
...
	if ( defined('ALTERNATE_WP_CRON') && ALTERNATE_WP_CRON ) {
                      
		if ( 'POST' == $_SERVER['REQUEST_METHOD'] || defined('DOING_AJAX') )
                    return;

[markoheijnen]

Sorry for the late response. I'm unsure why you would have seen it. Added a check when using XML-RPC which would also prevent issues when using JSON REST API.

Moving to 4.1.

[SergeyBiryukov]

In 29732:

Skip ALTERNATE_WP_CRON redirect when performing XML-RPC requests.

props markoheijnen.
fixes #27447.

[nacin]

I think switching to SERVER_METHOD is probably a bit better here. $_POST is fine when we want to be naïve, but this case shows we need to expect that people will sometimes use raw POST data. php://input isn't re-readable until PHP 5.6 and that's overkill anyway. If we're receiving POST data, then it has to be a POST method. (The reverse isn't true: you can still receive query variables that get parsed into $_GET in a POST request.)

Checking XMLRPC_REQUEST is fine, but we should probably do a direct method check instead.

[rmccue]

Agreed on changing this, but I'd probably just make it filterable instead. The REST API sets XMLRPC_REQUEST right now for compatibility, but I could see that disappearing in the future.

[markoheijnen]

Totally forgot about raw POST data. Included a new patch that fixes it and includes a filter.

[SergeyBiryukov]

If we switch to 'POST' != $_SERVER['REQUEST_METHOD'], do we still need the other checks and the filter?

[johnbillion]

I think we should explicitly check for a GET method here to also avoid doing redirects with methods such as PUT, DELETE, etc.

Patch attached.

[wonderboymusic]

In 34576:

Cron: In spawn_cron(), when using ALTERNATE_WP_CRON, return early for any non-GET, instead of naively checking ! empty( $_POST ).

Props johnbillion, markoheijnen.
Fixes #27447.