Make WordPress Core

Opened 7 weeks ago

Last modified 7 weeks ago

#62717 new defect (bug)

POST request to pages returns 200 or 404

Reported by: prestonwordsworth's profile prestonwordsworth Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 6.7.1
Component: HTTP API Keywords:
Focuses: Cc:

Description

When we send a POST request to a regular page via cURL with no data/body, we get 200 and a response containing the page content just as we would with GET.

When we send POST requests with arbitrary data, however, we get either 404 or 200 depending on the request body.

Is this an inconsistency to be fixed or just undocumented, but intended, behaviour?

Change History (2)

#1 follow-up: @abcd95
7 weeks ago

Hey @prestonwordsworth, Thanks for bringing this up!

While I would be able to suggest better if the data being sent was provided, with the information given, I can see that the behavior you're observing is the expected implementation.

Empty POST requests are treated as GET requests, returning a 200 status with page content. When POST requests include data, WordPress attempts to find a registered handler for that data pattern. With a matching handler, it returns 200, otherwise 404.

It's working as designed, though I agree with you that it could be better documented.

#2 in reply to: ↑ 1 @prestonwordsworth
7 weeks ago

This is very helpful to know – thank you @abcd95!

Empty POST requests are treated as GET requests, returning a 200 status with page content.

If this is intended to be used for cache invalidation, I hope there’s a way to prevent POST flood cache bypass attacks.

Note: See TracTickets for help on using tickets.