WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 2 years ago

#28424 closed defect (bug) (maybelater)

XML-RPC endpoint doesn't enforce the admin scheme

Reported by: johnbillion Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Security Keywords: https
Focuses: administration Cc:
PR Number:

Description

Scenario: a site where the admin area is served over SSL via FORCE_SSL_ADMIN and the front end is served over HTTP.

Calling example.com/xmlrpc.php?rsd lists the available endpoints and correctly uses the admin scheme. However, the scheme isn't enforced, and you can still POST to these endpoints over HTTP.

IMO if FORCE_SSL_ADMIN is set, the XML-RPC endpoint should be forced over SSL. HTTP requests should be blocked outright with a relevant error message.

A situation where this could be an issue is where a site's admin area was previously served over HTTP but switched to HTTPS. A client app (eg. one of the mobile apps) may still be using the HTTP endpoint and therefore avoiding FORCE_SSL_ADMIN.

Change History (8)

#1 @johnbillion
5 years ago

  • Component changed from XML-RPC to Security

This ticket was mentioned in IRC in #wordpress-dev by johnbillion. View the logs.


5 years ago

#3 @nacin
5 years ago

Most clients have users which configure the endpoint directly, bypassing discovery. But unfortunately we may need to live with this one. Doing this could easily break clients that don't perfectly obey a 307 redirect (probably most).

#4 @nacin
5 years ago

Looks like both the WordPress Android and iOS apps do hit the RSD endpoint.

#5 @johnbillion
5 years ago

  • Keywords close added

A 307 wouldn't solve the issue anyway as it's for temporary redirects ("In this case, the request should be repeated with another URI; however, future requests should still use the original URI"). If the client did respect 307s, requests would still be sent over HTTP and then just re-sent over HTTPS. To be effective, we'd need a way to say "stop sending requests over HTTP".

I think you're right that this is something we'll need to live with.

#6 @johnbillion
4 years ago

  • Keywords close removed

I think the solution here is to make this dependant on whatever constant/functionality ends up getting implemented in #28521.

#7 @johnbillion
4 years ago

  • Keywords https added

#8 @johnbillion
2 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to maybelater
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.