[wp-trac] [WordPress Trac] #16402: IXR client doesn't properly handle XMLRPC over HTTPS

WordPress Trac wp-trac at lists.automattic.com
Fri Jan 28 21:58:03 UTC 2011

#16402: IXR client doesn't properly handle XMLRPC over HTTPS
 Reporter:  bryanmaupin   |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  XML-RPC       |    Version:  3.1
 Severity:  normal        |   Keywords:  xmlrpc ssl https
 There are two problems with the IXR XMLRPC client:

 1. The current IXR client code defaults to port 80, and isn't smart enough
 to know the port should be 443 if an https URL is sent.

 2. The IXR client doesn't create an SSL connection even if the port is

 I first noticed this because we're using an apache redirect to redirect
 XMLRPC requests to SSL (except the RSD) to avoid sending passwords in
 clear text.  Some clients (like windows live writer) use the blogger API
 instead of the wp API for wp sites.  For wp multisite,
 blogger_getUsersBlogs() calls _multisite_getUsersBlogs(), which creates a
 new IXR XMLRPC client.  But _multisite_getUsersBlogs() doesn't send a port
 number with the URL, so the IXR client defaults to port 80 (problem #1).
 Even if _multisite_getUsersBlogs() sent a port, the IXR client connection
 wouldn't be SSL (problem #2).

 I'm also going to look into submitting this upstream.

Ticket URL: <http://core.trac.wordpress.org/ticket/16402>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list