On Sat, Feb 11, 2017 at 12:18:06PM +0100, Martin Steigerwald wrote: > Package: wordpress > Version: 4.7.2+dfsg-1~bpo8+1 > Severity: normal > > Dear Craig, > > thanks for your notice on your blog. Fortunately Rodrigo was fast with > the backport. And I think I installed the update before disclosure.
Glad it was on time :) > > According to > > https://make.wordpress.org/core/2017/02/01/disclosure-of-additional-security-fix-in-wordpress-4-7-2/ > > the security issue was in a feature I do not use on any of my sites. > > Additionally since Wordpress 4.7.2 it is not possible to disable that > feature without installing a plugin like > > https://de.wordpress.org/plugins/disable-json-api/ > > I do think this is a highly questionable approach to security that upstream > goes there, and if upstream insists on continuing this despite all the > comments > and requests to disable that feature by default, I ask you to take such > measures in downstream package. Do you have links for upstream statements about not reconsidering making it an option? Not that I doubt about it, don't get me wrong, but just want to see how they communicated it, because it seems something difficult to tell it is not an *option* anymore :) > So please consider packaging and enabling by default the above plugin in > case upstream developers do not change their approach to prioritize security > over enabling features by default that not everyone need.o Just curious (sorry, I am no longer using wordpress at $DAYJOB and I'm not really up to date), but can't you just block requests to: /wp-json/ on your webserver? That isn't enough or will it cause some other problems because plugins use that? In that case, maybe you can block it at the web server layer allowing only certain IPs? Thanks a lot, Rodrigo
