[wp-hackers] Is disabling remote client access a good idea?

Jacob Santos wordpress at santosj.name
Wed Jun 25 12:40:45 GMT 2008

Yeah, that is somewhat difficult because it really falls under 
acceptance testing. I've heard of a HTTP proxy for PHPUnit, which 
simulates the HTTP environment, but I really think you have to do it 
live over HTTP to be accurate. Generally, if it did do it the functional 
testing way, then it would take forever to run with all of the latency 
of HTTP and having to do it many times. Saver to probably try to get as 
much done with just one HTTP request as possible.

Jacob Santos

Ryan McCue wrote:
> DD32 wrote:
>> The way they've been more vulnerable in the past has not been 
>> checking the username/password, but rather, if the user could perform 
>> the action AFAIK.
>> (Eg, A Subscriber signs up, can pass the user login stage, Next is 
>> checking that the user has all the permissions to do a certain 
>> action, In the admin section, this is pretty complicated, Then you 
>> need to duplicate all the security checks in XMLRPC.. etc)
> In my opinion, this just means that we need more regression testing, 
> especially for XML-RPC. If we had automated regression testing, then 
> this would not be a factor.
> Thanks,
> Ryan. 

More information about the wp-hackers mailing list