Opened 11 years ago
Closed 8 years ago
#28424 closed defect (bug) (maybelater)
XML-RPC endpoint doesn't enforce the admin scheme
Reported by: |
|
Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | |
Component: | Security | Keywords: | https |
Focuses: | administration | Cc: |
Description
Scenario: a site where the admin area is served over SSL via FORCE_SSL_ADMIN
and the front end is served over HTTP.
Calling example.com/xmlrpc.php?rsd
lists the available endpoints and correctly uses the admin scheme. However, the scheme isn't enforced, and you can still POST to these endpoints over HTTP.
IMO if FORCE_SSL_ADMIN
is set, the XML-RPC endpoint should be forced over SSL. HTTP requests should be blocked outright with a relevant error message.
A situation where this could be an issue is where a site's admin area was previously served over HTTP but switched to HTTPS. A client app (eg. one of the mobile apps) may still be using the HTTP endpoint and therefore avoiding FORCE_SSL_ADMIN
.
Change History (8)
This ticket was mentioned in IRC in #wordpress-dev by johnbillion. View the logs.
11 years ago
#5
@
11 years ago
- Keywords close added
A 307 wouldn't solve the issue anyway as it's for temporary redirects ("In this case, the request should be repeated with another URI; however, future requests should still use the original URI"). If the client did respect 307s, requests would still be sent over HTTP and then just re-sent over HTTPS. To be effective, we'd need a way to say "stop sending requests over HTTP".
I think you're right that this is something we'll need to live with.
Most clients have users which configure the endpoint directly, bypassing discovery. But unfortunately we may need to live with this one. Doing this could easily break clients that don't perfectly obey a 307 redirect (probably most).