Make WordPress Core

Opened 2 years ago

Closed 2 years ago

Last modified 9 months ago

#56492 closed defect (bug) (fixed)

blogger.getUsersBlogs doesn't work on Multisite when HTTPS is enforced

Reported by: dd32's profile dd32 Owned by: desrosj's profile desrosj
Milestone: 6.1 Priority: normal
Severity: normal Version:
Component: XML-RPC Keywords: has-patch
Focuses: multisite Cc:

Description

The XML-RPC endpoint blogger.getUsersBlogs doesn't work on Multisite environments which require HTTPS.

This is because the endpoint defers to wp_xmlrpc_server::_multisite_getUsersBlogs() on multisite which then performs a new IXR request against the current site, and IXR_Client only supports HTTP.

https://github.com/WordPress/wordpress-develop/blob/3a730ec57c2a29765b438cc8bd9559eda2e8f648/src/wp-includes/class-wp-xmlrpc-server.php#L4847-L4856

The attached PR simply changes the code to instead call the XMLRPC method directly, rather than through an additional HTTP request, avoiding the network loopback request and removing the failure points.

Change History (7)

This ticket was mentioned in PR #3167 on WordPress/wordpress-develop by dd32.


2 years ago
#1

  • Keywords has-patch added

#2 @SergeyBiryukov
2 years ago

  • Milestone changed from Awaiting Review to 6.1

#3 @desrosj
2 years ago

  • Owner set to desrosj
  • Status changed from new to reviewing

#4 @desrosj
2 years ago

  • Resolution set to fixed
  • Status changed from reviewing to closed

In 54468:

XML-RPC: Avoid loopback request in blogger.getUsersBlogs.

The blogger.getUsersBlogs endpoint does not currently work on Multisite environments which require HTTPS.

This changes wp_xmlrpc_server::_multisite_getUsersBlogs() to call the method directly instead of relying on a new IXR_Client request, which only supports HTTP.

Props dd32.
Fixes #56492.

desrosj commented on PR #3167:


2 years ago
#5

Merged in wp_getUsersBlogs.

@desrosj commented on PR #3167:


9 months ago
#6

This is a closed PR. Could you please open a ticket on Trac with more details?

justid commented on PR #3167:


9 months ago
#7

This is a closed PR. Could you please open a ticket on Trac with more details?

I want to , but i cant open wordpress trac website.

This issue is simple:
File class-wp-xmlrpc-server.php, line 4881:
Just change
$blogs = $this->wp_getUsersBlogs( $args );
To

$blogs = $this->wp_getUsersBlogs( [$args[1], $args[2] );  
// my last comment is incorrect, it should be [$args[1], $args[2] , not [$args[0], $args[1] 

Then xml-rpc on multisite will work.
Here is the reason:
_multisite_getUsersBlogs's args are

@type int    $0 Blog ID (unused).
@type string $1 Username.
@type string $2 Password.

But wp_getUsersBlogs's args are

@type string $0 Username.
@type string $1 Password.
Note: See TracTickets for help on using tickets.