XML-RPC API unbundled from Serendipity 0.9

In the current development version of Serendipity, we have unbundled the XML-RPC API functions from the release version and made the functionality to post entries via XML-RPC (MT/Blogger API) calls available as a additional plugin called Post via XML-RPC (serendipity_event_xmlrpc).

The reason for this is that very few people use XML-RPC posting to our experience, and it is a inherent security risk to have this functionality available if you don't use it, as the past has proven. To overcome this possible vulnerability, you need to now actively install the mentioned plugin to make XML-RPC posting available. Sending and receiving trackbacks is NOT affected by this, only the "Server"-Part of that API is.

The URL for the API endpoings will not change; if you have not installed the plugin, you will see an error message displayed. Outsourcing this functionality as a plugin allows the Serendipity Team to respond easier to new issues with the plugin and make enhancements to the XMLRPC module.

A general advice for Serendipity 0.8.3 users is to remove the serendipity_xmlrpc.php file if you do not use XML-RPC entry posting.


Trackback-URL für diesen Eintrag


Ansicht der Kommentare: (Linear | Verschachtelt)

Isotopp am um :

What does this technobabble mean?

It means that S9Y 0.8.3 and up will come with a function disabled that you do generally not use. By disabling this normally unused function, S9Y offers one less function to the net that may be used to attack the software. This is generally considered a good thing and a safer default that offering unused and badly maintained functionality.

If you happen to use an external editor on your PC to write your entries for your blog instead of the editor provided by S9Y, then and only then you need to enable the XML-RPC posting plugin. This is not the case for most users of S9Y.

Wesley am um :

Current SVN listing still shows the XML PHP file as part of the trunk as well as the branch. I wonder if they will be removed now?

Garvin am um :

That's intentional. The file is still there, but it has "empty"/dummy content to support the plugin hook.

Keilaron am um :

Stupid question: I use the LJ-post plug-in, which uses XML-RPC to post to LJ. Is this plug-in affected by this change?

Isotopp am um :


Only incoming XML-RPC is affected by this change. We want to avoid to run a server functionality that most installations never use (but must maintain to stay secure).

Outgoing (Client) functionality is not affected.

Kommentar schreiben

Die angegebene E-Mail-Adresse wird nicht dargestellt, sondern nur für eventuelle Benachrichtigungen verwendet.

Um maschinelle und automatische Übertragung von Spamkommentaren zu verhindern, bitte die Zeichenfolge im dargestellten Bild in der Eingabemaske eintragen. Nur wenn die Zeichenfolge richtig eingegeben wurde, kann der Kommentar angenommen werden. Bitte beachten Sie, dass Ihr Browser Cookies unterstützen muss, um dieses Verfahren anzuwenden.

BBCode-Formatierung erlaubt
Markdown-Formatierung erlaubt