[wp-xmlrpc] Re: [wp-hackers] XMLRPC rework

Joseph Scott joseph at randomnetworks.com
Fri Aug 31 18:51:09 GMT 2007


I'm cross posting this so that folks to the wp-xmlrpc list are aware  
of this.


On Aug 30, 2007, at 10:28 AM, Alexander Concha wrote:

> Hello Folks.
>
> I think WP's XMLRPC server needs more attention because it has some
> buggy methods and by default allows to gather useful information to
> unprivileged users.
>
> The following methods doesn't seem to work and because of security
> implications, I suggest remove them -- although I'm not sure if they
> were added for compatibility reasons.
>
> - blogger_getTemplate
> - blogger_setTemplate


I'm inclined to agree on removing these at this point.  From the  
looks of things these haven't worked for a long time, if ever.  Even  
if they were made to work it isn't clear what WordPress should do  
with them.

If we want to provide an interface for getting and updating templates  
we could always implement our own wp.getTemplate wp.setTemplate  
methods later.


> OTOH, unprivileged users (aka anyone with a subscriber role) can
> retrieve data which could be used for unknown purposes. Examples:
>
> - mw_getRecentPosts will return posts including private fields like
> post_password.
> - wp_getAuthors will return the list of users with private data (email
> and role).


We could tighten things up on these and other functions that can  
return sensitive data.

When returning post data I'd suggest limiting it to anyone that can  
edit the post (the post author and anyone with editor and  
administrator role).  This would make any of the methods that return  
post data do the same sort of checks that mw_editPost does.  Is there  
any reason why a user who can't edit a post should still be able to  
get the post data via XML-RPC?

For wp_getAuthors we could probably just trim it down to three  
fields: user_id, user_login and display_name.  I don't see any  
benefit derived from including the user_email and meta_value fields.   
On the other hand, is there a potential issue with having the ability  
to enumerate all of the usernames for a blog?  Perhaps this method  
should only work for people who can edit posts (contributer, author,  
edit and admin roles)?



--
Joseph Scott
http://joseph.randomnetworks.com/




More information about the wp-xmlrpc mailing list