#7157 closed enhancement (fixed)
Disable APP and XMLRPC publishing by default
Reported by: | westi | Owned by: | westi |
---|---|---|---|
Milestone: | 2.6 | Priority: | high |
Severity: | normal | Version: | |
Component: | Security | Keywords: | has-patch |
Focuses: | Cc: |
Description
In order to protect the majority of blogs which don't use these protocols against any possible security vulnerabilities we should disable them by default.
This is similar to the idea that registration is disabled by default.
Attachments (10)
Change History (38)
#1
@
16 years ago
- Cc josephscott added
Patch adds the options, UI and lockdown for xmlrpc but needs the lockdown for APP implementing.
#4
@
16 years ago
What a bummer. Terrible news for desktop clients. I hope the security enhancing tradeoff is very high because this will be a support burden on developers who are supporting users of desktop clients.
It's also worth noting that this will add friction to the process of using a remote client with WordPress, and therefore make other systems such as Blogger potentially more attractive to such users.
Daniel
#5
@
16 years ago
We should of course consider making these options part of the 5 minute install like the privacy ones are.
Something like Enable Remote Client access - which would enable both types by default?
#8
@
16 years ago
Will there be a way to find out whether the remote publishing is disabled or not?
I.e. some meaningful error message when you call the disabled XML-RPC methods or a special method that answers "disabled/enabled".
As a weblog client developer I would like to let the users know that why the "publishing" failed and tell them what they should do to fix the issue. So I need to distinguish this error from all other types of errors.
P.S. BTW adding the option to the "5 minute install" won't help much. People install blogs, then, after some time, they discover remote weblog clients. By that time they have already forgotten about those options they saw during the install.
#9
@
16 years ago
Great points UseShots. I think you're right about the "deciding later" to use a remote client. All in all I think this change will be disappointing for remote editors, and their users, but I like your idea about at least providing a meaningful way of detecting this condition.
One of the major nuisances with Movable Type is that users are required to know about and then use a separate "web services" password. It would help a lot in their case if they just arranged for the authentication failure to explain what might be going wrong.
Is it at all worth considering a "secured mode" xmlrpc.php and app.php, that just returns an error stating that the user has not enabled access?
#10
follow-up:
↓ 15
@
16 years ago
"Enable remote publishing using the WordPress, Movable Type, MetaWeblog, Blogger and Atom publishing protocols for my blog."
If I'm a new blogger, or a first-time WordPress user, how does that make any sense? It's confusing enough that I bet people will check it simple because they have no idea what it does, and it can't cause any harm if it's a checkbox in installation, right?
I don't think this needs to be an option in setup.
#11
@
16 years ago
Something's wrong with this option. I was unable to enable it on the Options->Writing screen and have the change actually stick. I had to go into the options table and manually set the option to "1" to make it work.
#13
@
16 years ago
Here's an alternate approach that returns a descriptive error rather than the generic method not found error. The patch isn't complete.
#14
@
16 years ago
I am still not a fan of this change, and I've decided to write some public debate to at least hopefully get some thoughts moving about the possibility of taking another approach:
http://www.red-sweater.com/blog/512/wordpress-to-disable-remote-access
#15
in reply to:
↑ 10
@
16 years ago
Replying to matt:
I don't think this needs to be an option in setup.
I agree with Matt. This is a distracting option for setup and also currently written in Geek. A descriptive error message resolves all scenarios I can think of.
#16
@
16 years ago
Assuming you decide to go ahead with this , I agree a descriptive error message will be very helpful.
#17
@
16 years ago
I can proceed with my patch and remove the install options while discussions continue.
#18
@
16 years ago
New patches:
- Provide helpful error message when XML-RPC is not enabled. Now done as part of the authentication check.
- Provide helpful error message when AtomPub is not enabled.
- Enable XML-RPC and AtomPub when doing upgrades.
- Remove check box for enabling XML-RPC & AtomPub during install.
The only XML-RPC functions that don't attempt to authenticate users are:
- demo.sayHello
- demo.addTwoNumbers
- mt.supportedMethods (which seems pretty useless in light of system.listMethods)
- mt.supportedTextFilters
- mt.getTrackbackPings
- pingback.ping
- pingback.extensions.getPingbacks
Turned XML-RPC and AtomPub back on for upgrades to reduce the amount of surprised existing users will have.
#23
@
16 years ago
$allow passed to not_allowed() is expected to be an array, and joined into a comma-separated list of allowed values. If we're going to use not_allowed() to output this warning in the Allow: header, the content should be a single-element array rather than a string.
However, it may be better to use HTTP Status 403 instead, since Status 405 "MUST include an Allow header containing a list of valid methods for the requested resource", not an arbitrary user-oriented string. With Status 403, WordPress "SHOULD describe the reason for the refusal in the entity" body, not through the Accept: header.
First pass patch. Still needs to actually stop APP working.