[wp-trac] [WordPress Trac] #10330: XML-RPC and AtomPub Endpoints
Should Respect FORCE_SSL_ADMIN and FORCE_SSL_LOGIN
WordPress Trac
wp-trac at lists.automattic.com
Thu Jul 2 04:11:50 UTC 2009
#10330: XML-RPC and AtomPub Endpoints Should Respect FORCE_SSL_ADMIN and
FORCE_SSL_LOGIN
-------------------------+--------------------------------------------------
Reporter: josephscott | Owner: josephscott
Type: enhancement | Status: new
Priority: normal | Milestone: 2.8.1
Component: XML-RPC | Version: 2.8
Severity: normal | Keywords: has-patch
-------------------------+--------------------------------------------------
External APIs (XML-RPC and AtomPub) should force SSL access if
FORCE_SSL_ADMIN or FORCE_SSL_LOGIN is set to true.
I think it makes sense to redirect to HTTPS if either FORCE_SSL_ADMIN or
FORCE_SSL_ADMIN is set to true since both end points pass usernames and
passwords in the clear (or near clear in the case of AtomPub which
generally uses HTTP Basic Auth) and expose administrative functions.
I've got patches for -trunk and the 2.8 branch in hopes that we can get
this included in the 2.8.1 release as well.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/10330>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list