IXR: check if scheme and host keys exist before accessing in IXR_Client and WP_HTTP_IXR_Client by bluefuton · Pull Request #10916 · WordPress/wordpress-develop

bluefuton · 2026-02-12T23:26:32Z

Summary

IXR_Client accesses $bits['host'] from parse_url() without checking if the key exists, which can trigger an undefined index warning for URLs without a host component (e.g. relative paths).
Uses the null coalescing operator (??) to fall back to an empty string, consistent with how port and path are already handled on the adjacent lines.
Adds a unit test to verify no error is triggered when the host is missing.

Trac ticket

https://core.trac.wordpress.org/ticket/64635
https://core.trac.wordpress.org/ticket/40784

Test plan

Verify IXR_Client no longer triggers an undefined index warning when instantiated with a URL lacking a host component
Run npm run test:php -- --filter ixr_client and confirm the tests pass

Drafted Commit Message

XML-RPC: Account for parsed URLs that do not specify host or scheme.

Developed in #10916

Props bluefuton, tfrommen, chrispecoraro, drebbits.web, westonruter.
Fixes #64635, #40784.

`parse_url()` does not always return a `host` key (e.g. for relative paths). Use the null coalescing operator to fall back to an empty string, consistent with how `port` and `path` are already handled. Adds a unit test to verify no error is triggered when the host is missing. Trac: https://core.trac.wordpress.org/ticket/64635

github-actions · 2026-02-12T23:26:44Z

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

Core Committers: Use this line as a base for the props when committing in SVN:

Props bluefuton, westonruter, tfrommen.

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

github-actions · 2026-02-12T23:42:21Z

Test using WordPress Playground

The changes in this pull request can previewed and tested using a WordPress Playground instance.

WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser.

Some things to be aware of

All changes will be lost when closing a tab with a Playground instance.
All changes will be lost when refreshing the page.
A fresh instance is created each time the link below is clicked.
Every time this pull request is updated, a new ZIP file containing all changes is created. If changes are not reflected in the Playground instance,
it's possible that the most recent build failed, or has not completed. Check the list of workflow runs to be sure.

For more details about these limitations and more, check out the Limitations page in the WordPress Playground documentation.

Test this pull request with WordPress Playground.

tests/phpunit/tests/xmlrpc/client.php

westonruter · 2026-02-13T07:00:03Z

Should the same fix be applied to WP_HTTP_IXR_Client?

wordpress-develop/src/wp-includes/class-wp-http-ixr-client.php

Lines 26 to 29 in d3b793f

    
           $this->scheme = $bits['scheme']; 
        
           $this->server = $bits['host']; 
        
           $this->port   = $bits['port'] ?? $port; 
        
           $this->path   = ! empty( $bits['path'] ) ? $bits['path'] : '/';

bluefuton · 2026-02-15T21:06:23Z

Should the same fix be applied to WP_HTTP_IXR_Client?

Yes, I think so. There's actually an open ticket already for this:

https://core.trac.wordpress.org/ticket/40784

And the suggested patch was:

https://core.trac.wordpress.org/attachment/ticket/40784/40784.diff

Shall I address it in this PR @westonruter?

westonruter · 2026-02-15T21:40:11Z

@bluefuton ah, perfect. Yes, could you apply that patch to the PR and update it so we can address both together?

Co-authored-by: Weston Ruter <westonruter@gmail.com>

bluefuton · 2026-02-16T04:40:00Z

Yes, could you apply that patch to the PR and update it so we can address both together?

Added! 👍 I've modernized the original patch (using ?? to be consistent with the surrounding code and assertSame in tests for strict equality).

Sidenote

It looks like at one point IXR_Client was a third-party library by Simon Willison: https://simonwillison.net/2002/Sep/2/aNewXMLRPCLibraryForPHP/. This was back in 2002 and it is not actively maintained any more: https://simonwillison.net/2022/Jun/12/twenty-years/

If we are now treating it as part of WP, we could probably do some further cleanup in there, like dropping PHP4 support.

bluefuton · 2026-02-16T04:42:58Z

We should give @tfrommen props for the original patch on #40784 too :)

src/wp-includes/class-wp-http-ixr-client.php

westonruter · 2026-02-16T05:45:59Z

@bluefuton It seems the only difference between the constructors for the two classes is that WP_HTTP_IXR_Client also sets a scheme. That said, could WP_HTTP_IXR_Client::__construct() be further simplified to just:

	public function __construct( $server, $path = false, $port = false, $timeout = 15 ) {
		parent::__construct( $server, $path, $port, $timeout );
		$this->scheme = parse_url( $server, PHP_URL_SCHEME ) ?? 'http';
	}

bluefuton · 2026-02-16T23:06:05Z

It seems the only difference between the constructors for the two classes is that WP_HTTP_IXR_Client also sets a scheme. That said, could WP_HTTP_IXR_Client::__construct() be further simplified

Nice cleanup! There's one subtlety though - the parent IXR_Client::__construct() defaults the port to 80 when parsing a URL, while WP_HTTP_IXR_Client defaults to $port (which is false by default). We'd need to handle that too.

Co-authored-by: Weston Ruter <westonruter@gmail.com>

tfrommen · 2026-02-17T16:51:16Z

Hey, nice to see some work on this. 😉

The above suggestion by @westonruter would always default to 'http':

	public function __construct( $server, $path = false, $port = false, $timeout = 15 ) {
		parent::__construct( $server, $path, $port, $timeout );
		$this->scheme = parse_url( $server, PHP_URL_SCHEME ) ?? 'http';
	}

However, the current code only does this (hard-coded) if there was no $path specified.

To keep that behavior, we would need to put the code inside a conditional. Also covering the different handling of the port, this would give us this:

	public function __construct( $server, $path = false, $port = false, $timeout = 15 ) {
		parent::__construct( $server, $path, $port, $timeout );
		if ( ! $path ) {
			$this->scheme = parse_url( $server, PHP_URL_SCHEME ) ?? 'http';
			$this->port   = parse_url( $server, PHP_URL_PORT ) ?? '';
		}
	}

Thoughts?

bluefuton · 2026-02-18T04:04:43Z

I know we're a few years on from your original patch @tfrommen! Hope we can get it merged for you 🙂

The refactor to call parent::__construct() would definitely slim things down. It looks like there are a few subtle differences to navigate though, and personally I would choose to land the ?? additions and tests, and consider refactoring in a followup PR.

westonruter · 2026-02-18T04:15:57Z

@bluefuton Sounds good to me.

@tfrommen How do you feel with the PR as it stands? If you approve, I'll proceed with commit.

westonruter reviewed Feb 13, 2026

View reviewed changes

tests/phpunit/tests/xmlrpc/client.php Outdated Show resolved Hide resolved

bluefuton force-pushed the fix/ixr-client-host-key-check branch from 5215b3c to ec8d232 Compare February 16, 2026 04:25

bluefuton and others added 2 commits February 16, 2026 17:28

Add @ticket reference to unit test

83b39bd

Co-authored-by: Weston Ruter <westonruter@gmail.com>

Incorporate WP_HTTP_IXR_Client fixes from #40784

2413b12

bluefuton force-pushed the fix/ixr-client-host-key-check branch from b4eabf1 to 2413b12 Compare February 16, 2026 04:28

westonruter reviewed Feb 16, 2026

View reviewed changes

src/wp-includes/class-wp-http-ixr-client.php Outdated Show resolved Hide resolved

Use null coalescing operator on $this->path

abf51d7

Co-authored-by: Weston Ruter <westonruter@gmail.com>

bluefuton changed the title ~~IXR: check if host key exists before accessing it in IXR_Client~~ IXR: check if scheme and host keys exist before accessing in IXR_Client and WP_HTTP_IXR_Client Feb 18, 2026

westonruter approved these changes Feb 18, 2026

View reviewed changes

tfrommen approved these changes Feb 18, 2026

View reviewed changes

This comment was marked as spam.

Sign in to view

Conversation

bluefuton commented Feb 12, 2026 • edited by westonruter Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Trac ticket

Test plan

Drafted Commit Message

Uh oh!

github-actions bot commented Feb 12, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions bot commented Feb 12, 2026

Test using WordPress Playground

Some things to be aware of

Uh oh!

Uh oh!

westonruter commented Feb 13, 2026

Uh oh!

bluefuton commented Feb 15, 2026

Uh oh!

westonruter commented Feb 15, 2026

Uh oh!

bluefuton commented Feb 16, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

bluefuton commented Feb 16, 2026

Uh oh!

Uh oh!

westonruter commented Feb 16, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

bluefuton commented Feb 16, 2026

Uh oh!

tfrommen commented Feb 17, 2026

Uh oh!

bluefuton commented Feb 18, 2026

Uh oh!

westonruter commented Feb 18, 2026

Uh oh!

This comment was marked as spam.

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Comments

bluefuton commented Feb 12, 2026 •

edited by westonruter

Loading

github-actions bot commented Feb 12, 2026 •

edited

Loading

bluefuton commented Feb 16, 2026 •

edited

Loading

westonruter commented Feb 16, 2026 •

edited

Loading