Ticket #34419: 34419.diff

src/wp-includes/class-wp-xmlrpc-server.php

@@ -6232 +6232 @@
                         return $this->pingback_error( 0, __( 'Is there no link to us?' ) );
 
                 // let's find which post is linked to
-                // FIXME: does url_to_postid() cover all these cases already?
-                //        if so, then let's use it and drop the old code.
-                $urltest = parse_url($pagelinkedto);
-                if ( $post_ID = url_to_postid($pagelinkedto) ) {
-                        // $way
-                } elseif ( isset( $urltest['path'] ) && preg_match('#p/[0-9]{1,}#', $urltest['path'], $match) ) {
-                        // the path defines the post_ID (archives/p/XXXX)
-                        $blah = explode('/', $match[0]);
-                        $post_ID = (int) $blah[1];
-                } elseif ( isset( $urltest['query'] ) && preg_match('#p=[0-9]{1,}#', $urltest['query'], $match) ) {
-                        // the querystring defines the post_ID (?p=XXXX)
-                        $blah = explode('=', $match[0]);
-                        $post_ID = (int) $blah[1];
-                } elseif ( isset($urltest['fragment']) ) {
-                        // an #anchor is there, it's either...
-                        if ( intval($urltest['fragment']) ) {
-                                // ...an integer #XXXX (simplest case)
-                                $post_ID = (int) $urltest['fragment'];
-                        } elseif ( preg_match('/post-[0-9]+/',$urltest['fragment']) ) {
-                                // ...a post id in the form 'post-###'
-                                $post_ID = preg_replace('/[^0-9]+/', '', $urltest['fragment']);
-                        } elseif ( is_string($urltest['fragment']) ) {
-                                // ...or a string #title, a little more complicated
-                                $title = preg_replace('/[^a-z0-9]/i', '.', $urltest['fragment']);
-                                $sql = $wpdb->prepare("SELECT ID FROM $wpdb->posts WHERE post_title RLIKE %s", $title );
-                                if (! ($post_ID = $wpdb->get_var($sql)) ) {
-                                        // returning unknown error '0' is better than die()ing
-                                        return $this->pingback_error( 0, '' );
-                                }
-                        }
-                } else {
-                        // TODO: Attempt to extract a post ID from the given URL
+                $post_ID = url_to_postid($pagelinkedto);
+                if ( ! $post_ID ) {
                         return $this->pingback_error( 33, __('The specified target URL cannot be used as a target. It either doesn’t exist, or it is not a pingback-enabled resource.' ) );
                 }
-                $post_ID = (int) $post_ID;
 
+                $post_ID = (int) $post_ID;
                 $post = get_post($post_ID);
 
-                if ( !$post ) // Post_ID not found
+                if ( ! $post ) // Post_ID not found
                         return $this->pingback_error( 33, __( 'The specified target URL cannot be used as a target. It either doesn’t exist, or it is not a pingback-enabled resource.' ) );
 
                 if ( $post_ID == url_to_postid($pagelinkedfrom) )
                         return $this->pingback_error( 0, __( 'The source URL and the target URL cannot both point to the same resource.' ) );
 
                 // Check if pings are on
-                if ( !pings_open($post) )
+                if ( ! pings_open( $post ) )
                         return $this->pingback_error( 33, __( 'The specified target URL cannot be used as a target. It either doesn’t exist, or it is not a pingback-enabled resource.' ) );
 
                 // Let's check that the remote site didn't already pingback this entry
-                if ( $wpdb->get_results( $wpdb->prepare("SELECT * FROM $wpdb->comments WHERE comment_post_ID = %d AND comment_author_url = %s", $post_ID, $pagelinkedfrom) ) )
+                $dupe_args = array(
+                                'comment_post_ID' => $post_ID,
+                                'author_url' => $pagelinkedfrom
+                );
+                $comments = get_comments( $dupe_args );
+                if ( ! empty( $comments ) ) {
                         return $this->pingback_error( 48, __( 'The pingback has already been registered.' ) );
-
+                }
                 // very stupid, but gives time to the 'from' server to publish !
                 sleep(1);
 
@@ -6296 +6271 @@
                 $http_api_args = array(
                         'timeout' => 10,
                         'redirection' => 0,
-                        'limit_response_size' => 153600, // 150 KB
+                        'limit_response_size' => 1048576, // 1mb
                         'user-agent' => "$user_agent; verifying pingback from $remote_ip",
                         'headers' => array(
                                 'X-Pingback-Forwarded-For' => $remote_ip,
                         ),
                 );
+                // Make sure the resource is a valid one before retrieving it
+                $request = wp_safe_remote_head( $pagelinkedfrom, $http_api_args );
+                $content_type = wp_remote_retrieve_header( $request, 'content-type' );
+    if ( is_wp_error( $request ) ) {
+      return $this->pingback_error( 16, __( 'The source URL does not exist.' ) );
+    }
+                // Protect Against Someone Trying to Make Us Download Media Files
+                if ( preg_match( '#(image|audio|video|model)/#is', $content_type ) ) {
+      return $this->pingback_error( 17, __( 'The source URL does not contain a link to the target URL, and so cannot be used as a source.' ) );
+                }
 
                 $request = wp_safe_remote_get( $pagelinkedfrom, $http_api_args );
                 $remote_source = $remote_source_original = wp_remote_retrieve_body( $request );
 
-                if ( ! $remote_source ) {
-                        return $this->pingback_error( 16, __( 'The source URL does not exist.' ) );
-                }
-
                 /**
                  * Filter the pingback remote source.
                  *
@@ -6320 +6301 @@
                  */
                 $remote_source = apply_filters( 'pre_remote_source', $remote_source, $pagelinkedto );
 
-                // Work around bug in strip_tags():
-                $remote_source = str_replace( '<!DOC', '<DOC', $remote_source );
-                $remote_source = preg_replace( '/[\r\n\t ]+/', ' ', $remote_source ); // normalize spaces
-                $remote_source = preg_replace( "/<\/*(h1|h2|h3|h4|h5|h6|p|th|td|li|dt|dd|pre|caption|input|textarea|button|body)[^>]*>/", "\n\n", $remote_source );
-
-                preg_match( '|<title>([^<]*?)</title>|is', $remote_source, $matchtitle );
-                $title = $matchtitle[1];
-                if ( empty( $title ) )
-                        return $this->pingback_error( 32, __('We cannot find a title on that page.' ) );
-
-                $remote_source = strip_tags( $remote_source, '<a>' ); // just keep the tag we need
-
-                $p = explode( "\n\n", $remote_source );
-
-                $preg_target = preg_quote($pagelinkedto, '|');
-
-                foreach ( $p as $para ) {
-                        if ( strpos($para, $pagelinkedto) !== false ) { // it exists, but is it a link?
-                                preg_match("|<a[^>]+?".$preg_target."[^>]*>([^>]+?)</a>|", $para, $context);
-
-                                // If the URL isn't in a link context, keep looking
-                                if ( empty($context) )
-                                        continue;
-
-                                // We're going to use this fake tag to mark the context in a bit
-                                // the marker is needed in case the link text appears more than once in the paragraph
-                                $excerpt = preg_replace('|\</?wpcontext\>|', '', $para);
+                $verified = strpos( $remote_source, str_replace( array( 'http://www.', 'http://', 'https://www.', 'https://' ), '', untrailingslashit( preg_replace( '/#.*/', '', $pagelinkedto ) ) ) );
+    /**
+     * Filter the verification to allow for stricter controls.
+     *
+     * @since 4.6.0
+     *
+                 * @param boolean $verified Is the provided
+     * @param string $remote_source Response source for the page linked from.
+     * @param string $pagelinkedto  URL of the page linked to.
+     * @param string $content_type  The content type of the remote source.
+     */
+    $verified = apply_filters( 'ping_source_verified', $verified, $remote_source, $pagelinkedto, $content_type );
+    if ( ! $verified ) { // Link to target not found
+      return $this->pingback_error( 17, __( 'The source URL does not contain a link to the target URL, and so cannot be used as a source.' ) );
+                }
 
-                                // prevent really long link text
-                                if ( strlen($context[1]) > 100 )
-                                        $context[1] = substr($context[1], 0, 100) . '&#8230;';
+                // Sanitized for Your Protection
+                $remote_source = wp_kses_post( $remote_source );
 
-                                $marker = '<wpcontext>'.$context[1].'</wpcontext>';    // set up our marker
-                                $excerpt= str_replace($context[0], $marker, $excerpt); // swap out the link for our marker
-                                $excerpt = strip_tags($excerpt, '<wpcontext>');        // strip all tags but our context marker
-                                $excerpt = trim($excerpt);
-                                $preg_marker = preg_quote($marker, '|');
-                                $excerpt = preg_replace("|.*?\s(.{0,100}$preg_marker.{0,100})\s.*|s", '$1', $excerpt);
-                                $excerpt = strip_tags($excerpt); // YES, again, to remove the marker wrapper
-                                break;
-                        }
+                preg_match( '/<title>(.+)<\/title>/i', $remote_source, $matchtitle);
+                $title = trim( $matchtitle[1] );
+                // If there is no title use the domain name
+                if ( empty( $title ) ) { 
+                        $host = wp_parse_url( $pagelinkedfrom );
+                        $title = preg_replace( '/^www\./', '', $host['host'] );
                 }
 
-                if ( empty($context) ) // Link to target not found
-                        return $this->pingback_error( 17, __( 'The source URL does not contain a link to the target URL, and so cannot be used as a source.' ) );
+                $comment_content = sprintf( __( '<a href="%s">%s</a> linked to this.'), $pagelinkedfrom, $title );
 
                 $pagelinkedfrom = str_replace('&', '&amp;', $pagelinkedfrom);
-
-                $context = '[&#8230;] ' . esc_html( $excerpt ) . ' [&#8230;]';
                 $pagelinkedfrom = $this->escape( $pagelinkedfrom );
 
                 $comment_post_ID = (int) $post_ID;
@@ -6376 +6338 @@
                 $comment_author_email = '';
                 $this->escape($comment_author);
                 $comment_author_url = $pagelinkedfrom;
-                $comment_content = $context;
+
                 $this->escape($comment_content);
                 $comment_type = 'pingback';
 
                 $commentdata = compact(
                         'comment_post_ID', 'comment_author', 'comment_author_url', 'comment_author_email',
-                        'comment_content', 'comment_type', 'remote_source', 'remote_source_original'
+                        'comment_content', 'comment_type', 'remote_source', 'remote_source_original', 'content_type'
                 );
 
                 $comment_ID = wp_new_comment($commentdata);