[wp-trac] [WordPress Trac] #43459: Provide a "manifest.json" file for exposing information about wordpress endpoints
WordPress Trac
noreply at wordpress.org
Fri Mar 2 12:06:36 UTC 2018
#43459: Provide a "manifest.json" file for exposing information about wordpress
endpoints
-----------------------------+-----------------------------
Reporter: bjne | Owner:
Type: feature request | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: trunk
Severity: normal | Keywords:
Focuses: |
-----------------------------+-----------------------------
When hosting wordpress sites, there is a problem knowing which .php files
should be executed directly and which is just included by other apps.
I suggest to try to develop a "manifest.json" (filename open for
discussion),
that should live in wp-core, and provide a up-to-date reference for
configuring
frontend webservers (per-request?)
Currently the practice is mostly to deny access to wp-config.php, but more
or
less allow every other endpoint to be executed directly. This is a
security concern.
The format should be expandable in the future, but I suggest the following
basic
json schema:
{{{
{
"$schema": "http://json-schema.org/draft-06/schema#",
"type": "object",
"description": "wordpress manifest",
"patternProperties": {
"^(/[^/]+)+$": {
"type": "object",
"properties": {
"type": {
"enum": ["public", "logged_in",
admin"]
}
},
"required": ["type"]
}
},
"additionalProperties": false
}
}}}
Which would allow the following initial configuration:
{{{
{
"/index.php": {
"type": "public"
},
"/wp-login.php": {
"type": "public"
},
"/wp-admin/wp-admin-php": {
"type": "admin"
}
}
}}}
Everything not listed in this file should be blacklisted by default.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/43459>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list