WordPress-FluxC-Android icon indicating copy to clipboard operation
WordPress-FluxC-Android copied to clipboard
verified publisher icon wordpress-mobile

XMLRPCRequest content type does not allow '%' character in passwords

Open petemit opened this issue 5 years ago • 7 comments

I noticed in the Wordpress app that I couldn't add one of my sites--the error message coming from my xmlrpc.php endpoint was a 404.

After some hours (of pain and suffering) I managed to determine that the issue is due to my password having a % symbol in it, which with the text/xml content-type, it was interpreting it as something else. In my defense it was an auto-generated password. ;)

The easy solution is to change the MIME type to application/xml instead of text/xml. I tested this on the Wordpress app and sure enough, it accepted the password with a '%' character.

I didn't really know the difference between application/xml and text/xml, but it appears from the referenced RFC in this SO answer that text/xml is meant to be human readable and application/xml is not.
https://stackoverflow.com/a/4832418/8106988

I'm assuming that somewhere along the line, there is a difference in how these two MIME types are treated that is processing '%' symbols in such a way as to mangle the request.

petemit avatar Jan 18 '20 09:01 petemit

Thank you for the feedback! Quick status update: we're going to have a look at this in one of our future maintenance rotations, but it will get prioritized below other issues labeled high priority unless we can sneak it in as a quick fix or during one of our Hack Weeks.

designsimply avatar Mar 12 '20 18:03 designsimply

The easy solution is to change the MIME type to application/xml instead of text/xml. I tested this on the Wordpress app and sure enough, it accepted the password with a '%' character.

Hi @petemit - when you say that you changed the MIME type, where did you do the change, at the server level or in the app? Can you provide a test user so we can test and reproduce the issue?

maxme avatar Mar 13 '20 12:03 maxme

Hi @maxme I don't have a test user but it's easy to reproduce. Just make a test user that has a '%' in their password.

To fix it, I just changed this line in XMLRPCRequest: private static final String PROTOCOL_CONTENT_TYPE = String.format("text/xml; charset=%s", PROTOCOL_CHARSET);

To instead be private static final String PROTOCOL_CONTENT_TYPE = String.format("application/xml; charset=%s", PROTOCOL_CHARSET);

petemit avatar Mar 13 '20 12:03 petemit

Just make a test user that has a '%' in their password.

I tried that, but it's working fine on my test sites (without any change in the app).

maxme avatar Mar 13 '20 12:03 maxme

It could be the placement of the symbol at the beginning or the end of the password. I had the issue on a pixel 3 and the emulator in Android studio. I have Android 10.

petemit avatar Mar 13 '20 12:03 petemit

Also, an automated test might not catch it, it had to do with network serialization, so you may have to manually test it to find it

petemit avatar Mar 13 '20 12:03 petemit

@petemit If you are still able to reproduce this issue with different passwords, do you mind sharing one with us so we can try reproducing the issue with our own sites? This goes without saying, but just in case, please don't share a password you're actually using.

We are having trouble reproducing the issue, so in case this wasn't about % or the application/xml change, can you think of any other change you might have tried that might be the reason for this issue?

oguzkocer avatar Mar 25 '20 00:03 oguzkocer