[wp-hackers] XMLRPC rework
joseph at randomnetworks.com
Fri Aug 31 18:51:09 GMT 2007
I'm cross posting this so that folks to the wp-xmlrpc list are aware
On Aug 30, 2007, at 10:28 AM, Alexander Concha wrote:
> Hello Folks.
> I think WP's XMLRPC server needs more attention because it has some
> buggy methods and by default allows to gather useful information to
> unprivileged users.
> The following methods doesn't seem to work and because of security
> implications, I suggest remove them -- although I'm not sure if they
> were added for compatibility reasons.
> - blogger_getTemplate
> - blogger_setTemplate
I'm inclined to agree on removing these at this point. From the
looks of things these haven't worked for a long time, if ever. Even
if they were made to work it isn't clear what WordPress should do
If we want to provide an interface for getting and updating templates
we could always implement our own wp.getTemplate wp.setTemplate
> OTOH, unprivileged users (aka anyone with a subscriber role) can
> retrieve data which could be used for unknown purposes. Examples:
> - mw_getRecentPosts will return posts including private fields like
> - wp_getAuthors will return the list of users with private data (email
> and role).
We could tighten things up on these and other functions that can
return sensitive data.
When returning post data I'd suggest limiting it to anyone that can
edit the post (the post author and anyone with editor and
administrator role). This would make any of the methods that return
post data do the same sort of checks that mw_editPost does. Is there
any reason why a user who can't edit a post should still be able to
get the post data via XML-RPC?
For wp_getAuthors we could probably just trim it down to three
fields: user_id, user_login and display_name. I don't see any
benefit derived from including the user_email and meta_value fields.
On the other hand, is there a potential issue with having the ability
to enumerate all of the usernames for a blog? Perhaps this method
should only work for people who can edit posts (contributer, author,
edit and admin roles)?
More information about the wp-hackers