Support » Plugin: Secure XML-RPC » Confusion about calculating the Authorization header

  • Resolved benjib0t


    First off, thanks for the making this plugin! I am trying to extend the python wordpress-xmlrpc library to work with your plugin. I think all I need to do is compute and encode the header and pass it along to the server, but when I do so, I get an error that says username and password are invalid.

    wordpress_xmlrpc.exceptions.InvalidCredentialsError: Incorrect username or password.

    This is the bit of python code that sends out the header:

    23   def send_request(self, connection, handler, request_body):
     24       pk_hash = ba.hexlify(b64.b64encode(hl.sha256(self.private_key+request_body).hexdigest()))
     25       auth_header = self.public_key+'||'+pk_hash
     26       if (self.accept_gzip_encoding and gzip):
     27           connection.putrequest("POST", handler, skip_accept_encoding=True)
     28           connection.putheader("Accept-Encoding", "gzip")
     29           connection.putheader("Authorization",auth_header)
     30       else:
     31           connection.putrequest("POST", handler)
     32           connection.putheader("Authorization",auth_header)

    I am not 100% sure I am computing the header correctly – I notice in the example you provide the Authorization header is entirely in hex – the second half is not in the base64 alphabet (as it is in my code)

    The header I compute for your example:

    req_body= \
    req_body= '<?xml version="1.0?>'  + ''.join(req_body.split())
    private_key = '7647a19f5bf3e9fd001419900ad48a54'
    public_key = 'b730db0864b0d4453ba6a26ad6613cd4'
    hdr = public_key + '||' + b64.standard_b64encode(hl.sha256(private_key + req_body).hexdigest())
    print hdr

    gives me


    in constrast to your example which is


    Thanks for any help!

Viewing 13 replies - 1 through 13 (of 13 total)
  • Do you have a solution?


    No, I never did find a solution. I dug around in the source, and found that the plugin itself computed sha256(private_key + content), not b64(sha256(…)), and stopped there. It seems like this plugin doesn’t quite work as described, but maybe others have had better luck.

    To get arouund using this plugin, I my python script that prompts for a password for every post. If you’re interested, it’s here:

    Thx for the information.
    I will take a look on your script-

    Yes, only the Base64 encoding is missing when calculating the hash for authentication on the server side – I filed a pull request for it, but one could also fix this manually by calling the base64_encode() function of PHP. The other option is (which should work with the current 0.1.0 version of the plugin), if you hash with sha256 on client side only, omitting at least b64.b64encode()/b64.standard_b64encode in your Python script. Please note that Base64 encoding doesn’t add anything to security, it’s there to have a uniform way for data handling, maybe to prevent that the HTTP header gets malformed. Prompting for the password, not storing it anywhere, doesn’t help in any way, since the Secure XML-RPC plugin fixes the problem that the password gets transmitted over the network in plain text. If the password (or private key) gets or doesn’t get stored locally, is a question completely unrelated to Secure XML-RPC.

    Plugin Author Eric Mann


    You’re misunderstanding how the code works.

    A sha256 hash is a stream of bits that isn’t printable. By default, PHP’s sha256 function also base64 encodes the output. I included the reference to base64 in the documentation because people trying to implement the headers in other code systems were attempting to send an unencoded hash.

    I don’t think that hash() does Base64 encoding, because $raw_output = false results in a hex string only (0-9, a-f/A-F), while Base64 uses much more characters (A-Z, a-z, 0-9, +, /, =) to represent values.

    @benjib0t, it seems your code example is missing the closing " at the version attribute in '<?xml version="1.0?>'.

    The “Authorization:” header never reach my host. Maybe it is forbidden for security reasons.

    So, I send a “WWW-Authorization:” header, wich appear as $_SERVER[‘HTTP_WWW_AUTHORIZATION’]. I had to change lines 208 and 212 in script “/secure-xml-rpc/includes/XMLRPCS_Profile.php” to accept this header.

    Have you tried what I suggested here as addition to the “Installation” chapter of the readme file (adjusting httpd.conf or local .htaccess)?

    SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
    in .htaccess works like a charm! THX!

    SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
    in .htaccess works like a charm! THX!

    Plugin Author Eric Mann


    I would be VERY Careful using that kind of a rule. That rule is setting an environment variable with the data from the Authorization header – which is exactly the flaw Shellshock exposed with User Agent strings (some systems were setting environment variables for HTTP_USER_AGENT the same way).

    So what’s the better solution then? The plugin is quite useless if the Authorization header isn’t available to PHP because of server configuration…

Viewing 13 replies - 1 through 13 (of 13 total)
  • The topic ‘Confusion about calculating the Authorization header’ is closed to new replies.