[wp-trac] [WordPress Trac] #52958: The XML-RPC endpoint returns 404 rather than 200

WordPress Trac noreply at wordpress.org
Thu Apr 1 13:39:15 UTC 2021


#52958: The XML-RPC endpoint returns 404 rather than 200
--------------------------+-----------------------------
 Reporter:  ariskataoka   |      Owner:  (none)
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  XML-RPC       |    Version:  5.7
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 The [XML-RPC specs](http://xmlrpc.com/spec.md) say:

 ''Unless there's a lower-level error, always return 200, OK.''

 For example: for an attachment not found in the WP db, it should return a
 body with a faultCode 404, AND the HTTP status code should be 200.

 That's how WordPress XML-RPC used to work until the 5.7 version was
 released.

 After that release, it started returning the error code as the status code
 header. It stopped following the specs and broke eventual 3rd party
 integrations that rely on that status code to validate/handle the
 responses. (I saw some integrations experiencing that behavior).

 I did a quick research on trac and could find this ticket:

 https://core.trac.wordpress.org/ticket/48213

 **The issue:**

 Apparently, the ticket changes should only affect the status code when the
 XML-RPC is disabled or the user/pass is incorrect. However, I could notice
 it also affects the application when the XML-RPC is enabled.

 **How to test it?**

 Request command:


 {{{
 curl --location --request POST 'http://test57.local/xmlrpc.php' \
 --header 'Content-Type: application/xml' \
 --data-raw '<?xml version="1.0"?>
 <methodCall>
      <methodName>wp.getMediaItem</methodName>
      <params>
           <param><value>ANY</value></param>
           <param> <value>valid user</value> </param>
           <param> <value>correct password</value></param>
           <param><value>non existent attachment id </value></param>
      </params>
 </methodCall>
 '
 '
 }}}

 Response on WordPress 5.7:

 {{{
 HTTP/1.1 404 Not Found
 Server: nginx/1.16.0
 Date: Thu, 01 Apr 2021 09:58:28 GMT
 Content-Type: text/xml; charset=UTF-8
 Transfer-Encoding: chunked
 Connection: keep-alive
 Vary: Accept-Encoding
 X-Powered-By: PHP/7.4.1

 <?xml version="1.0" encoding="UTF-8"?>
 <methodResponse>
   <fault>
     <value>
       <struct>
         <member>
           <name>faultCode</name>
           <value><int>404</int></value>
         </member>
         <member>
           <name>faultString</name>
           <value><string>Invalid attachment ID.</string></value>
         </member>
       </struct>
     </value>
   </fault>
 </methodResponse>
 }}}

 The status code should still be a 200.

 Reponse on WordPress 5.6:

 {{{
 HTTP/1.1 200 OK
 Date: Thu, 01 Apr 2021 13:18:40 GMT
 Server: Apache/2.4.38 (Debian)
 X-Powered-By: PHP/7.4.15
 Connection: close
 Vary: Accept-Encoding
 Content-Length: 394
 Content-Type: text/xml; charset=UTF-8

 <?xml version="1.0" encoding="UTF-8"?>
 <methodResponse>
   <fault>
     <value>
       <struct>
         <member>
           <name>faultCode</name>
           <value><int>404</int></value>
         </member>
         <member>
           <name>faultString</name>
           <value><string>Invalid attachment ID.</string></value>
         </member>
       </struct>
     </value>
   </fault>
 </methodResponse>
 }}}

 The following code is responsible for the relevant changes:

 https://github.com/WordPress/wordpress-develop/pull/774/files#diff-
 c6872009630e677e111a2e9294070f161d1e90377389ecbe46e66cd4dcf1668eR133-R135

 In the code, it's possible to see that the IXR_Error instances would
 return the HTTP status code header sent as a parameter to the constructor
 method. It doesn't take into consideration the XML-RPC is enabled or
 disabled.

 E.g.:
 https://github.com/WordPress/WordPress/blob/dc4de0d5a5360d6799985d54c8ad12f0ffe7da43
 /wp-includes/class-wp-xmlrpc-server.php#L1881

 https://github.com/WordPress/WordPress/blob/dc4de0d5a5360d6799985d54c8ad12f0ffe7da43
 /wp-includes/class-wp-xmlrpc-server.php#L1885

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/52958>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list