WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 5 years ago

#9074 closed feature request (invalid)

XML-RPC and SSL (Admin SSL)

Reported by: eceleste Owned by: ryan
Milestone: 2.8 Priority: low
Severity: normal Version:
Component: Security Keywords:
Focuses: Cc:

Description

I would love for the native SSL support in WP to include support for Shared SSL. For now I have to use Admin SSL. Even though the issue described here is really and Admin SSL issue, I am adding it to trac just in case folks are working on similar functionality within WP itself. Beware xmlrpc.php when rewriting URLs.

The problem I was having is that xmlrpc.php in WordPress was passing corrupted XML to my blog editor (MarsEdit) when it was secured by the Admin SSL plugin. This turned out to be a bug with Admin SSL, as far as I can tell. I have to use Admin SSL instead of WP's own SSL since my certs are shared certificates, not certs on my blog's host.

It turns out that Admin SSL assumes that it should rewrite self-referencing http URLs in the outbound buffer so that they point to https. Normally this is a good idea (avoids many warnings from the browser). But it is a bad idea when the outbound buffer is an XML file which WordPress already assumes to be of a given length. Essentially, the rewritten buffer became longer than WP expected and some tags (including the closing tag) were getting cut off.

My solution: explicitly exempt xmlrpc.php from the substitution. I've done this rather crudely, I'm sure Ben (the author of Admin SSL) may have a prettier way of accomplishing the same thing. Here's the patch that worked for me:

In the includes/https.php file within the Admin SSL plugin folder replace…

$buffer = str_replace($replace_this,$with_this,$buffer);

with…

if(strpos(req_uri(),"xmlrpc.php") === false) { $buffer = str_replace($replace_this,$with_this,$buffer); }

Change History (1)

comment:1 eceleste5 years ago

  • Resolution set to invalid
  • Status changed from new to closed

Since this ticket really does not point to any work needing doing in WP, I'll go ahead and close it.

BUT: Shared SSL would be great to have!

Note: See TracTickets for help on using tickets.