[wp-trac] [WordPress Trac] #9074: XML-RPC and SSL (Admin SSL)

WordPress Trac wp-trac at lists.automattic.com
Mon Feb 9 19:32:40 GMT 2009 

#9074: XML-RPC and SSL (Admin SSL)
-----------------------------+----------------------------------------------
 Reporter:  eceleste         |       Owner:  ryan
     Type:  feature request  |      Status:  new 
 Priority:  low              |   Milestone:  2.8 
Component:  Security         |     Version:      
 Severity:  normal           |    Keywords:      
-----------------------------+----------------------------------------------
 I would love for the native SSL support in WP to include support for
 Shared SSL. For now I have to use Admin SSL. Even though the issue
 described here is really and Admin SSL issue, I am adding it to trac just
 in case folks are working on similar functionality within WP itself.
 Beware xmlrpc.php when rewriting URLs.

 The problem I was having is that xmlrpc.php in WordPress was passing
 corrupted XML to my blog editor (MarsEdit) when it was secured by the
 Admin SSL plugin. This turned out to be a bug with Admin SSL, as far as I
 can tell. I have to use Admin SSL instead of WP's own SSL since my certs
 are shared certificates, not certs on my blog's host.

 It turns out that Admin SSL assumes that it should rewrite self-
 referencing http URLs in the outbound buffer so that they point to https.
 Normally this is a good idea (avoids many warnings from the browser). But
 it is a bad idea when the outbound buffer is an XML file which WordPress
 already assumes to be of a given length. Essentially, the rewritten buffer
 became longer than WP expected and some tags (including the closing tag)
 were getting cut off.

 My solution: explicitly exempt xmlrpc.php from the substitution. I've done
 this rather crudely, I'm sure Ben (the author of Admin SSL) may have a
 prettier way of accomplishing the same thing. Here's the patch that worked
 for me:

 In the includes/https.php file within the Admin SSL plugin folder replace…

 $buffer = str_replace($replace_this,$with_this,$buffer);

 with…

 if(strpos(req_uri(),"xmlrpc.php") === false) { $buffer =
 str_replace($replace_this,$with_this,$buffer); }

-- 
Ticket URL: <http://trac.wordpress.org/ticket/9074>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list