[bitnami/wordpress, bitnami/wordpress-nginx] Add env var to disable XML-RPC (#51077)

* Add configuration for Wordpress XML-RPC endpoint

Signed-off-by: Kim Oliver Drechsel <kim@drechsel.xyz>

* Move htaccess_file var computation to function

Signed-off-by: Kim Oliver Drechsel <kim@drechsel.xyz>

* Remove unneeded function argument

Signed-off-by: Kim Oliver Drechsel <kim@drechsel.xyz>

* Add XML-RPC disable for wordpress-nginx

Signed-off-by: Kim Oliver Drechsel <kim@drechsel.xyz>

* Move XML-RPC function for apache wordpress to server config to be similiar to wordpress-nginx

Signed-off-by: Kim Oliver Drechsel <kim@drechsel.xyz>

* Fix broken command

Signed-off-by: Kim Oliver Drechsel <kim@drechsel.xyz>

* Remove comments

Signed-off-by: Kim Oliver Drechsel <kim@drechsel.xyz>

* Change `WORDPRESS_ENABLE_XML_RPC` default value to `no`

Signed-off-by: Kim Oliver Drechsel <kim@drechsel.xyz>

---------

Signed-off-by: Kim Oliver Drechsel <kim@drechsel.xyz>

bitnami/wordpress-nginx/6/debian-11/rootfs/opt/bitnami/scripts/libwordpress.sh

@@ -92,6 +92,7 @@ wordpress_validate() {
     check_yes_no_value "WORDPRESS_SKIP_BOOTSTRAP"
     check_multi_value "WORDPRESS_AUTO_UPDATE_LEVEL" "major minor none"
     check_yes_no_value "WORDPRESS_ENABLE_REVERSE_PROXY"
+    check_yes_no_value "WORDPRESS_ENABLE_XML_RPC"
 
     # Multisite validations
     check_yes_no_value "WORDPRESS_ENABLE_MULTISITE"
@@ -726,6 +727,12 @@ wordpress_generate_web_server_configuration() {
         error "Unknown WordPress Multisite network mode"
         return 1
     fi
+
+    if ! is_boolean_yes "$WORDPRESS_ENABLE_XML_RPC"; then
+        apache_config+=$'\n'"$(render-template "${template_dir}/apache-wordpress-disable-xml-rpc.tpl")"
+        nginx_config+=$'\n'"$(render-template "${template_dir}/nginx-wordpress-disable-xml-rpc.tpl")"
+    fi
+
     web_server_config_create_flags+=("--apache-extra-directory-configuration" "$apache_config" "--nginx-additional-configuration" "$nginx_config")
     [[ -n "$nginx_external_config" ]] && web_server_config_create_flags+=("--nginx-external-configuration" "$nginx_external_config")
     ensure_web_server_app_configuration_exists "wordpress" --type "php" "${web_server_config_create_flags[@]}"

bitnami/wordpress-nginx/6/debian-11/rootfs/opt/bitnami/scripts/wordpress-env.sh

@@ -47,6 +47,7 @@ wordpress_env_vars=(
     WORDPRESS_LOGGED_IN_SALT
     WORDPRESS_NONCE_SALT
     WORDPRESS_ENABLE_REVERSE_PROXY
+    WORDPRESS_ENABLE_XML_RPC
     WORDPRESS_USERNAME
     WORDPRESS_PASSWORD
     WORDPRESS_EMAIL
@@ -144,6 +145,7 @@ export WORDPRESS_SECURE_AUTH_SALT="${WORDPRESS_SECURE_AUTH_SALT:-}"
 export WORDPRESS_LOGGED_IN_SALT="${WORDPRESS_LOGGED_IN_SALT:-}"
 export WORDPRESS_NONCE_SALT="${WORDPRESS_NONCE_SALT:-}"
 export WORDPRESS_ENABLE_REVERSE_PROXY="${WORDPRESS_ENABLE_REVERSE_PROXY:-no}" # only used during the first initialization
+export WORDPRESS_ENABLE_XML_RPC="${WORDPRESS_ENABLE_XML_RPC:-no}"
 
 # WordPress credentials
 export WORDPRESS_USERNAME="${WORDPRESS_USERNAME:-user}" # only used during the first initialization

bitnami/wordpress-nginx/6/debian-11/rootfs/opt/bitnami/scripts/wordpress/bitnami-templates/apache-wordpress-disable-xml-rpc.tpl

@@ -0,0 +1,8 @@
+# BEGIN Disable WordPress XML-RPC endpoint
+# Disable the outdated WordPress XML-RPC endpoint to prevent security vulnerabilities.
+# https://github.com/bitnami/containers/pull/51077
+<Files xmlrpc.php>
+Order Allow,Deny
+Deny from all
+</Files>
+# END Disable WordPress XML-RPC endpoint

bitnami/wordpress-nginx/6/debian-11/rootfs/opt/bitnami/scripts/wordpress/bitnami-templates/nginx-wordpress-disable-xml-rpc.tpl

@@ -0,0 +1,7 @@
+# BEGIN Disable WordPress XML-RPC endpoint
+# Disable the outdated WordPress XML-RPC endpoint to prevent security vulnerabilities.
+# https://github.com/bitnami/containers/pull/51077
+location = /xmlrpc.php {
+    deny all;
+}
+# END Disable WordPress XML-RPC endpoint

bitnami/wordpress-nginx/README.md

@@ -240,6 +240,7 @@ Available environment variables:
 - `WORDPRESS_SKIP_BOOTSTRAP`: Skip the WordPress installation wizard. This is necessary when providing a database with existing WordPress data. Default: **no**
 - `WORDPRESS_AUTO_UPDATE_LEVEL`: Level of auto-updates to allow for the WordPress core installation. Valid values: `major`, `minor`, `none`. Default: **none**
 - `WORDPRESS_ENABLE_REVERSE_PROXY`: Enable WordPress support for reverse proxy headers. Default: **no**
+- `WORDPRESS_ENABLE_XML_RPC`: Enable the WordPress XML-RPC endpoint. Default: **no**
 
 #### Multisite configuration
 

bitnami/wordpress/6/debian-11/rootfs/opt/bitnami/scripts/libwordpress.sh

@@ -92,6 +92,7 @@ wordpress_validate() {
     check_yes_no_value "WORDPRESS_SKIP_BOOTSTRAP"
     check_multi_value "WORDPRESS_AUTO_UPDATE_LEVEL" "major minor none"
     check_yes_no_value "WORDPRESS_ENABLE_REVERSE_PROXY"
+    check_yes_no_value "WORDPRESS_ENABLE_XML_RPC"
 
     # Multisite validations
     check_yes_no_value "WORDPRESS_ENABLE_MULTISITE"
@@ -726,6 +727,12 @@ wordpress_generate_web_server_configuration() {
         error "Unknown WordPress Multisite network mode"
         return 1
     fi
+
+    if ! is_boolean_yes "$WORDPRESS_ENABLE_XML_RPC"; then
+        apache_config+=$'\n'"$(render-template "${template_dir}/apache-wordpress-disable-xml-rpc.tpl")"
+        nginx_config+=$'\n'"$(render-template "${template_dir}/nginx-wordpress-disable-xml-rpc.tpl")"
+    fi
+
     web_server_config_create_flags+=("--apache-extra-directory-configuration" "$apache_config" "--nginx-additional-configuration" "$nginx_config")
     [[ -n "$nginx_external_config" ]] && web_server_config_create_flags+=("--nginx-external-configuration" "$nginx_external_config")
     ensure_web_server_app_configuration_exists "wordpress" --type "php" "${web_server_config_create_flags[@]}"

bitnami/wordpress/6/debian-11/rootfs/opt/bitnami/scripts/wordpress-env.sh

@@ -47,6 +47,7 @@ wordpress_env_vars=(
     WORDPRESS_LOGGED_IN_SALT
     WORDPRESS_NONCE_SALT
     WORDPRESS_ENABLE_REVERSE_PROXY
+    WORDPRESS_ENABLE_XML_RPC
     WORDPRESS_USERNAME
     WORDPRESS_PASSWORD
     WORDPRESS_EMAIL
@@ -144,6 +145,7 @@ export WORDPRESS_SECURE_AUTH_SALT="${WORDPRESS_SECURE_AUTH_SALT:-}"
 export WORDPRESS_LOGGED_IN_SALT="${WORDPRESS_LOGGED_IN_SALT:-}"
 export WORDPRESS_NONCE_SALT="${WORDPRESS_NONCE_SALT:-}"
 export WORDPRESS_ENABLE_REVERSE_PROXY="${WORDPRESS_ENABLE_REVERSE_PROXY:-no}" # only used during the first initialization
+export WORDPRESS_ENABLE_XML_RPC="${WORDPRESS_ENABLE_XML_RPC:-no}"
 
 # WordPress credentials
 export WORDPRESS_USERNAME="${WORDPRESS_USERNAME:-user}" # only used during the first initialization

bitnami/wordpress/6/debian-11/rootfs/opt/bitnami/scripts/wordpress/bitnami-templates/apache-wordpress-disable-xml-rpc.tpl

@@ -0,0 +1,8 @@
+# BEGIN Disable WordPress XML-RPC endpoint
+# Disable the outdated WordPress XML-RPC endpoint to prevent security vulnerabilities.
+# https://github.com/bitnami/containers/pull/51077
+<Files xmlrpc.php>
+Order Allow,Deny
+Deny from all
+</Files>
+# END Disable WordPress XML-RPC endpoint

bitnami/wordpress/6/debian-11/rootfs/opt/bitnami/scripts/wordpress/bitnami-templates/nginx-wordpress-disable-xml-rpc.tpl

@@ -0,0 +1,7 @@
+# BEGIN Disable WordPress XML-RPC endpoint
+# Disable the outdated WordPress XML-RPC endpoint to prevent security vulnerabilities.
+# https://github.com/bitnami/containers/pull/51077
+location = /xmlrpc.php {
+    deny all;
+}
+# END Disable WordPress XML-RPC endpoint

bitnami/wordpress/README.md

@@ -246,6 +246,7 @@ Available environment variables:
 - `WORDPRESS_SKIP_BOOTSTRAP`: Skip the WordPress installation wizard. This is necessary when providing a database with existing WordPress data. Default: **no**
 - `WORDPRESS_AUTO_UPDATE_LEVEL`: Level of auto-updates to allow for the WordPress core installation. Valid values: `major`, `minor`, `none`. Default: **none**
 - `WORDPRESS_ENABLE_REVERSE_PROXY`: Enable WordPress support for reverse proxy headers. Default: **no**
+- `WORDPRESS_ENABLE_XML_RPC`: Enable the WordPress XML-RPC endpoint. Default: **no**
 
 #### Salt and keys configuration