Ticket #24646: 24646.5.diff
File 24646.5.diff, 3.7 KB (added by , 11 years ago) |
---|
-
wp-includes/default-filters.php
196 196 add_filter( 'pingback_ping_source_uri', 'pingback_ping_source_uri' ); 197 197 add_filter( 'xmlrpc_pingback_error', 'xmlrpc_pingback_error' ); 198 198 199 add_filter( 'http_request_host_is_external', 'allowed_http_request_hosts', 10, 2 ); 200 199 201 // Actions 200 202 add_action( 'wp_head', 'wp_enqueue_scripts', 1 ); 201 203 add_action( 'wp_head', 'feed_links', 2 ); -
wp-includes/http.php
442 442 $same_host = strtolower( $parsed_home['host'] ) === strtolower( $parsed_url['host'] ); 443 443 444 444 if ( ! $same_host ) { 445 $host = trim( $parsed_url['host'], '.');445 $host = strtolower( trim( $parsed_url['host'], '.' ) ); 446 446 if ( preg_match( '#^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$#', $host ) ) { 447 447 $ip = $host; 448 448 } else { … … 451 451 $ip = false; 452 452 } 453 453 if ( $ip ) { 454 if ( '127.0.0.1' === $ip )455 return false;456 454 $parts = array_map( 'intval', explode( '.', $ip ) ); 457 if ( 10 === $parts[0] ) 458 return false; 459 if ( 172 === $parts[0] && 16 <= $parts[1] && 31 >= $parts[1] ) 460 return false; 461 if ( 192 === $parts[0] && 168 === $parts[1] ) 462 return false; 455 if ( '127.0.0.1' === $ip 456 || ( 10 === $parts[0] ) 457 || ( 172 === $parts[0] && 16 <= $parts[1] && 31 >= $parts[1] ) 458 || ( 192 === $parts[0] && 168 === $parts[1] ) 459 ) { 460 // If host appears local, reject unless specifically allowed. 461 if ( ! apply_filters( 'http_request_host_is_external', false, $host ) ) 462 return false; 463 } 463 464 } 464 465 } 465 466 … … 475 476 476 477 return false; 477 478 } 479 480 /** 481 * Whitelists allowed redirect hosts for safe HTTP requests as well. 482 * 483 * Attached to the http_request_host_is_external filter. 484 * 485 * @since 3.6.0 486 * 487 * @param bool $is_external 488 * @param string $host 489 * @return bool 490 */ 491 function allowed_http_request_hosts( $is_external, $host ) { 492 if ( ! $is_external && wp_validate_redirect( 'http://' . $host ) ) 493 $is_external = true; 494 return $is_external; 495 } 496 497 /** 498 * Whitelists any domain in a multisite installation for safe HTTP requests. 499 * 500 * Attached to the http_request_host_is_external filter. 501 * 502 * @since 3.6.0 503 * 504 * @param bool $is_external 505 * @param string $host 506 * @return bool 507 */ 508 function ms_allowed_http_request_hosts( $is_external, $host ) { 509 global $wpdb, $current_site; 510 static $queried; 511 if ( ! isset( $queried ) ) 512 $queried = array( $current_site->domain => true ); 513 if ( $is_external ) 514 return $is_external; 515 if ( isset( $queried[ $host ] ) ) 516 return $queried[ $host ]; 517 $queried[ $host ] = (bool) $wpdb->get_var( $wpdb->prepare( "SELECT domain FROM $wpdb->blogs WHERE domain = %s LIMIT 1", $host ) ); 518 return $queried[ $host ]; 519 } -
wp-includes/ms-default-filters.php
63 63 remove_filter( 'option_home', '_config_wp_home' ); 64 64 65 65 // If the network upgrade hasn't run yet, assume ms-files.php rewriting is used. 66 add_filter( 'default_site_option_ms_files_rewriting', '__return_true' ); 67 No newline at end of file 66 add_filter( 'default_site_option_ms_files_rewriting', '__return_true' ); 67 68 // Whitelist multisite domains for HTTP requests 69 add_filter( 'http_request_host_is_external', 'ms_allowed_http_request_hosts', 20, 2 );