From ffb3d909c82885488eeb0d57e4ca67b1ac55b405 Mon Sep 17 00:00:00 2001 From: Kim Oliver Drechsel Date: Wed, 4 Oct 2023 18:18:06 +0200 Subject: [PATCH] Add configuration for Wordpress XML-RPC endpoint Signed-off-by: Kim Oliver Drechsel --- .../opt/bitnami/scripts/libwordpress.sh | 31 +++++++++++++++++++ .../opt/bitnami/scripts/wordpress-env.sh | 2 ++ bitnami/wordpress/README.md | 1 + 3 files changed, 34 insertions(+) diff --git a/bitnami/wordpress/6/debian-11/rootfs/opt/bitnami/scripts/libwordpress.sh b/bitnami/wordpress/6/debian-11/rootfs/opt/bitnami/scripts/libwordpress.sh index 3db0be8c1dc23..d6a854324156e 100644 --- a/bitnami/wordpress/6/debian-11/rootfs/opt/bitnami/scripts/libwordpress.sh +++ b/bitnami/wordpress/6/debian-11/rootfs/opt/bitnami/scripts/libwordpress.sh @@ -92,6 +92,7 @@ wordpress_validate() { check_yes_no_value "WORDPRESS_SKIP_BOOTSTRAP" check_multi_value "WORDPRESS_AUTO_UPDATE_LEVEL" "major minor none" check_yes_no_value "WORDPRESS_ENABLE_REVERSE_PROXY" + check_yes_no_value "WORDPRESS_ENABLE_XML_RPC" # Multisite validations check_yes_no_value "WORDPRESS_ENABLE_MULTISITE" @@ -226,6 +227,12 @@ wordpress_initialize() { WORDPRESS_DATA_TO_PERSIST+=" ${htaccess_file}" fi fi + else + if is_boolean_yes "$WORDPRESS_HTACCESS_OVERRIDE_NONE"; then + local htaccess_file="${APACHE_HTACCESS_DIR}/wordpress-htaccess.conf" + else + local htaccess_file="${WORDPRESS_BASE_DIR}/.htaccess" + fi fi # Check if WordPress has already been initialized and persisted in a previous run @@ -351,6 +358,7 @@ wordpress_initialize() { # Enable friendly URLs / permalinks (using historic Bitnami defaults) wp_execute rewrite structure '/%year%/%monthnum%/%day%/%postname%/' ! is_empty_value "$WORDPRESS_SMTP_HOST" && wordpress_configure_smtp + ! is_boolean_yes "$WORDPRESS_ENABLE_XML_RPC" && wordpress_disable_xmlrpc_endpoint "$htaccess_file" else info "An already initialized WordPress database was provided, configuration will be skipped" wp_execute core update-db @@ -583,6 +591,29 @@ if ( !defined( 'WP_CLI' ) ) { EOF } +######################## +# Disable access to the WordPress XML-RPC endpoint +# Globals: +# * +# Arguments: +# $1 - path to .htaccess file +# Returns: +# None +######################### +wordpress_disable_xmlrpc_endpoint() { + local -r htaccess_file="${1:?missing htaccess file path}" + [[ ! -f "$htaccess_file" ]] && touch "$htaccess_file" + grep -q "" "$htaccess_file" || cat >>"$htaccess_file" <<"EOF" + +# Disable the oudated WordPress XML-RPC endpoint to prevent security vulnerabilities. + +Order Allow,Deny +Deny from all + + +EOF +} + ######################## # Configure reverse proxy headers # Globals: diff --git a/bitnami/wordpress/6/debian-11/rootfs/opt/bitnami/scripts/wordpress-env.sh b/bitnami/wordpress/6/debian-11/rootfs/opt/bitnami/scripts/wordpress-env.sh index 9126f28812cff..3a926e1765356 100644 --- a/bitnami/wordpress/6/debian-11/rootfs/opt/bitnami/scripts/wordpress-env.sh +++ b/bitnami/wordpress/6/debian-11/rootfs/opt/bitnami/scripts/wordpress-env.sh @@ -47,6 +47,7 @@ wordpress_env_vars=( WORDPRESS_LOGGED_IN_SALT WORDPRESS_NONCE_SALT WORDPRESS_ENABLE_REVERSE_PROXY + WORDPRESS_ENABLE_XML_RPC WORDPRESS_USERNAME WORDPRESS_PASSWORD WORDPRESS_EMAIL @@ -144,6 +145,7 @@ export WORDPRESS_SECURE_AUTH_SALT="${WORDPRESS_SECURE_AUTH_SALT:-}" export WORDPRESS_LOGGED_IN_SALT="${WORDPRESS_LOGGED_IN_SALT:-}" export WORDPRESS_NONCE_SALT="${WORDPRESS_NONCE_SALT:-}" export WORDPRESS_ENABLE_REVERSE_PROXY="${WORDPRESS_ENABLE_REVERSE_PROXY:-no}" # only used during the first initialization +export WORDPRESS_ENABLE_XML_RPC="${WORDPRESS_ENABLE_XML_RPC:-yes}" # only used during the first initialization # WordPress credentials export WORDPRESS_USERNAME="${WORDPRESS_USERNAME:-user}" # only used during the first initialization diff --git a/bitnami/wordpress/README.md b/bitnami/wordpress/README.md index f9986827e41b9..644c0fd3cf2d5 100644 --- a/bitnami/wordpress/README.md +++ b/bitnami/wordpress/README.md @@ -246,6 +246,7 @@ Available environment variables: - `WORDPRESS_SKIP_BOOTSTRAP`: Skip the WordPress installation wizard. This is necessary when providing a database with existing WordPress data. Default: **no** - `WORDPRESS_AUTO_UPDATE_LEVEL`: Level of auto-updates to allow for the WordPress core installation. Valid values: `major`, `minor`, `none`. Default: **none** - `WORDPRESS_ENABLE_REVERSE_PROXY`: Enable WordPress support for reverse proxy headers. Default: **no** +- `WORDPRESS_ENABLE_XML_RPC`: Enable the WordPress XML-RPC endpoint. Default: **yes** #### Salt and keys configuration