[wp-trac] [WordPress Trac] #28424: XML-RPC endpoint doesn't enforce the admin scheme
WordPress Trac
noreply at wordpress.org
Sun Jun 1 12:53:54 UTC 2014
#28424: XML-RPC endpoint doesn't enforce the admin scheme
----------------------------+-----------------------------
Reporter: johnbillion | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: XML-RPC | Version:
Severity: normal | Keywords:
Focuses: administration |
----------------------------+-----------------------------
Scenario: a site where the admin area is served over SSL via
`FORCE_SSL_ADMIN` and the front end is served over HTTP.
Calling `example.com/xmlrpc.php?rsd` lists the available endpoints and
correctly uses the admin scheme. However, the scheme isn't enforced, and
you can still POST to these endpoints over HTTP.
IMO if `FORCE_SSL_ADMIN` is set, the XML-RPC endpoint should be forced
over SSL. HTTP requests should be blocked outright with a relevant error
message.
A situation where this could be an issue is where a site's admin area was
previously served over HTTP but switched to HTTPS. A client app (eg. one
of the mobile apps) may still be using the HTTP endpoint and therefore
avoiding `FORCE_SSL_ADMIN`.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/28424>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list