[wp-hackers] Is disabling remote client access a good idea?
Joseph Scott
joseph at randomnetworks.com
Mon Jul 7 19:13:16 GMT 2008
On Jul 7, 2008, at 12:14 PM, Alan J Castonguay wrote:
> Don't want to re-open the debate about whether APP should be
> disabled by default. But if the APP /is/ disabled per
> enable_xmlrpc, we should fix the warning/error message.
>
> $allow passed to not_allowed() to generate Status 405 "Method Not
> Allowed" is expected to be an array, and joined into a comma-
> separated list of allowed values. If we're going to use not_allowed
> () to output this warning in the Allow: header, the content should
> be a single-element array rather than a string.
>
> However, it may be better to use HTTP Status 403 instead, since
> Status 405 "MUST include an Allow header containing a list of valid
> methods for the requested resource", not an arbitrary user-oriented
> string. With Status 403, WordPress "SHOULD describe the reason for
> the refusal in the entity" body, not through the Accept: header.
>
>
> http://trac.wordpress.org/ticket/7157
I tend to agree, 403 looks like a more correct response. I've asked
Ryan to commit http://trac.wordpress.org/attachment/ticket/7157/wp-
app.php.4.diff
--
Joseph Scott
joseph at randomnetworks.com
http://joseph.randomnetworks.com/
More information about the wp-hackers
mailing list