[wp-trac] [WordPress Trac] #16402: IXR client doesn't properly handle XMLRPC over HTTPS
WordPress Trac
wp-trac at lists.automattic.com
Fri Jan 28 21:58:03 UTC 2011
#16402: IXR client doesn't properly handle XMLRPC over HTTPS
--------------------------+------------------------------
Reporter: bryanmaupin | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: XML-RPC | Version: 3.1
Severity: normal | Keywords: xmlrpc ssl https
--------------------------+------------------------------
There are two problems with the IXR XMLRPC client:
1. The current IXR client code defaults to port 80, and isn't smart enough
to know the port should be 443 if an https URL is sent.
2. The IXR client doesn't create an SSL connection even if the port is
443.
I first noticed this because we're using an apache redirect to redirect
XMLRPC requests to SSL (except the RSD) to avoid sending passwords in
clear text. Some clients (like windows live writer) use the blogger API
instead of the wp API for wp sites. For wp multisite,
blogger_getUsersBlogs() calls _multisite_getUsersBlogs(), which creates a
new IXR XMLRPC client. But _multisite_getUsersBlogs() doesn't send a port
number with the URL, so the IXR client defaults to port 80 (problem #1).
Even if _multisite_getUsersBlogs() sent a port, the IXR client connection
wouldn't be SSL (problem #2).
I'm also going to look into submitting this upstream.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/16402>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list