From 7ef5a65f44850f359082e163dc5e74dae7c6fee7 Mon Sep 17 00:00:00 2001
From: John Blackbourn <johnbillion@git.wordpress.org>
Date: Mon, 21 Dec 2020 20:21:12 +0000
Subject: [PATCH] XML-RPC: Emit an appropriate HTTP status code when an error
 is returned in response to an XML-RPC request.

This most notably affects the response when XML-RPC is disabled or when the supplied username and password is incorrect.

Props ericmann

Fixes #48213


git-svn-id: https://develop.svn.wordpress.org/trunk@49862 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-includes/IXR/class-IXR-server.php   | 5 +++++
 src/wp-includes/class-wp-xmlrpc-server.php | 4 ++--
 tests/phpunit/tests/xmlrpc/basic.php       | 9 +++++++++
 3 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/src/wp-includes/IXR/class-IXR-server.php b/src/wp-includes/IXR/class-IXR-server.php
index 3112d23815..2ead9b783c 100644
--- a/src/wp-includes/IXR/class-IXR-server.php
+++ b/src/wp-includes/IXR/class-IXR-server.php
@@ -129,6 +129,11 @@ EOD;
         if ($message && !is_object($error)) {
             $error = new IXR_Error($error, $message);
         }
+
+		if ( function_exists( 'status_header' ) ) {
+			status_header( $error->code );
+		}
+
         $this->output($error->getXml());
     }
 
diff --git a/src/wp-includes/class-wp-xmlrpc-server.php b/src/wp-includes/class-wp-xmlrpc-server.php
index 0be3318ee7..f45576aaef 100644
--- a/src/wp-includes/class-wp-xmlrpc-server.php
+++ b/src/wp-includes/class-wp-xmlrpc-server.php
@@ -286,8 +286,8 @@ class wp_xmlrpc_server extends IXR_Server {
 			 *
 			 * @since 3.5.0
 			 *
-			 * @param string   $error The XML-RPC error message.
-			 * @param WP_Error $user  WP_Error object.
+			 * @param IXR_Error $error The XML-RPC error message.
+			 * @param WP_Error  $user  WP_Error object.
 			 */
 			$this->error = apply_filters( 'xmlrpc_login_error', $this->error, $user );
 			return false;
diff --git a/tests/phpunit/tests/xmlrpc/basic.php b/tests/phpunit/tests/xmlrpc/basic.php
index 25e36f7204..e167d395be 100644
--- a/tests/phpunit/tests/xmlrpc/basic.php
+++ b/tests/phpunit/tests/xmlrpc/basic.php
@@ -16,6 +16,15 @@ class Tests_XMLRPC_Basic extends WP_XMLRPC_UnitTestCase {
 		$this->assertSame( 403, $result->code );
 	}
 
+	function test_disabled() {
+		add_filter( 'xmlrpc_enabled', '__return_false' );
+
+		$result = $this->myxmlrpcserver->wp_getOptions( array( 1, 'username', 'password' ) );
+
+		$this->assertIXRError( $result );
+		$this->assertSame( 405, $result->code );
+	}
+
 	function test_login_pass_ok() {
 		$user_id = $this->make_user_by_role( 'subscriber' );