[wp-hackers] Is disabling remote client access a good idea?

Joseph Scott joseph at randomnetworks.com
Mon Jul 7 19:13:16 GMT 2008

On Jul 7, 2008, at 12:14 PM, Alan J Castonguay wrote:

> Don't want to re-open the debate about whether APP should be  
> disabled by default. But if the APP /is/ disabled per  
> enable_xmlrpc, we should fix the warning/error message.
> $allow passed to not_allowed() to generate Status 405 "Method Not  
> Allowed" is expected to be an array, and joined into a comma- 
> separated list of allowed values. If we're going to use not_allowed 
> () to output this warning in the Allow: header, the content should  
> be a single-element array rather than a string.
> However, it may be better to use HTTP Status 403 instead, since  
> Status 405 "MUST include an Allow header containing a list of valid  
> methods for the requested resource", not an arbitrary user-oriented  
> string. With Status 403, WordPress "SHOULD describe the reason for  
> the refusal in the entity" body, not through the Accept: header.
> http://trac.wordpress.org/ticket/7157

I tend to agree, 403 looks like a more correct response.  I've asked  
Ryan to commit http://trac.wordpress.org/attachment/ticket/7157/wp- 

Joseph Scott
joseph at randomnetworks.com

More information about the wp-hackers mailing list