Skip to content

XML-RPC: Prevent fatal error when system.multicall params are scalar#11842

Open
tommusrhodus wants to merge 2 commits into
WordPress:trunkfrom
tommusrhodus:fix/65124-ixr-multicall-non-array
Open

XML-RPC: Prevent fatal error when system.multicall params are scalar#11842
tommusrhodus wants to merge 2 commits into
WordPress:trunkfrom
tommusrhodus:fix/65124-ixr-multicall-non-array

Conversation

@tommusrhodus
Copy link
Copy Markdown

@tommusrhodus tommusrhodus commented May 15, 2026
edited
Loading

AI Description: Validates the per-call structure inside IXR_Server::multiCall() and returns a spec-compliant fault (-32602) for malformed entries, rather than passing non-array values to IXR_Server::call() where count() would TypeError on PHP 8+. Also adds a defensive guard inside call() mirroring the existing pattern in IXR_IntrospectionServer::call().

Human Discussion:

  • Solves a 500 error being thrown in wp-includes/IXR/class-IXR-server.php, likely by malicious traffic.
  • Expands upon the existing patch in 65124 to avoid creating issues downstream by simply checking $args is an array.
  • Noting that pre PHP 8.0 this did not throw a fatal, but changes to count() mean that a fatal is now thown in 8.0+

Tested locally by creating an XML file with the following content:

<?xml version="1.0"?>
  <methodCall>
    <methodName>system.multicall</methodName>
    <params>
      <param><value><array><data>
        <value><struct>
          <member><name>methodName</name><value><string>system.listMethods</string></value></member>
          <member><name>params</name><value><string>malicious-non-array</string></value></member>
        </struct></value>
      </data></array></value></param>
    </params>
  </methodCall>

and then posting that to the local server:

curl -sS -X POST -H 'Content-Type: text/xml' \
    --data-binary @repro-ixr-multicall.xml \
    http://localhost:8889/xmlrpc.php -o /tmp/resp.xml -w '%{http_code}\n'

The return before this patch:

500
<?xml version="1.0" encoding="UTF-8"?>
<methodResponse>
  <fault>
    <value>
      <struct>
        <member>
          <name>faultCode</name>
          <value><int>500</int></value>
        </member>
        <member>
          <name>faultString</name>
          <value><string>&lt;p&gt;There has been a critical error on this website.&lt;/p&gt;&lt;p&gt;&lt;a href=&quot;https://wordpress.org/documentation/article/faq-troubleshooting/&quot;&gt;Learn more about troubleshooting WordPress.&lt;/a&gt;&lt;/p&gt;</string></value>
        </member>
      </struct>
    </value>
  </fault>
</methodResponse>

The return after this patch:

200
<?xml version="1.0" encoding="UTF-8"?>
<methodResponse>
  <params>
    <param>
      <value>
      <array><data>
  <value><struct>
  <member><name>faultCode</name><value><int>-32602</int></value></member>
  <member><name>faultString</name><value><string>server error. invalid method call structure</string></value></member>
</struct></value>
</data></array>
      </value>
    </param>
  </params>
</methodResponse>

Trac ticket: https://core.trac.wordpress.org/ticket/65124

Use of AI Tools

AI assistance: Yes
Tool(s): Claude
Model(s): Opus 4.7
Used for: Initial investigation route and test suggestions; final implementation and tests were reviewed and edited by me.

This Pull Request is for code review only. Please keep all other discussion in the Trac ticket. Do not merge this Pull Request. See GitHub Pull Requests for Code Review in the Core Handbook for more details.

@tommusrhodus
XML-RPC: Prevent fatal error when system.multicall params are not an …
32b98bd 
…array.

  Validates the per-call structure inside IXR_Server::multiCall() and returns
  a spec-compliant fault (-32602) for malformed entries, rather than passing
  non-array values to IXR_Server::call() where count() would TypeError on
  PHP 8+. Also adds a defensive guard inside call() mirroring the existing
  pattern in IXR_IntrospectionServer::call().

  Props TommusRhodus.
  Fixes #65124.
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 15, 2026

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

Core Committers: Use this line as a base for the props when committing in SVN:

Props tommusrhodus.

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 15, 2026

Test using WordPress Playground

The changes in this pull request can previewed and tested using a WordPress Playground instance.

WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser.

Some things to be aware of

  • All changes will be lost when closing a tab with a Playground instance.
  • All changes will be lost when refreshing the page.
  • A fresh instance is created each time the link below is clicked.
  • Every time this pull request is updated, a new ZIP file containing all changes is created. If changes are not reflected in the Playground instance,
    it's possible that the most recent build failed, or has not completed. Check the list of workflow runs to be sure.

For more details about these limitations and more, check out the Limitations page in the WordPress Playground documentation.

Test this pull request with WordPress Playground.

@tommusrhodus
Copy link
Copy Markdown
Author

tommusrhodus commented May 15, 2026

Unit test failures seem unrelated and belong to different testing groups.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tommusrhodus