diff --git a/src/wp-includes/class-wp-xmlrpc-server.php b/src/wp-includes/class-wp-xmlrpc-server.php
index 531dd50..0aafd4f 100644
a
|
b
|
class wp_xmlrpc_server extends IXR_Server { |
6303 | 6303 | ), |
6304 | 6304 | ); |
6305 | 6305 | |
| 6306 | // Make sure the resource is a valid one before retrieving it |
| 6307 | $request = wp_safe_remote_head( $pagelinkedfrom, $http_api_args ); |
| 6308 | $content_type = wp_remote_retrieve_header( $request, 'content-type' ); |
| 6309 | if ( is_wp_error( $request ) ) { |
| 6310 | return $this->pingback_error( 16, __( 'The source URL does not exist.' ) ); |
| 6311 | } |
| 6312 | // Protect Against Someone Trying to Make Us Download Media Files |
| 6313 | if ( preg_match( '#(image|audio|video|model)/#is', $content_type ) ) { |
| 6314 | return $this->pingback_error( 17, __( 'The source URL does not contain a link to the target URL, and so cannot be used as a source.' ) ); |
| 6315 | } |
| 6316 | |
6306 | 6317 | $request = wp_safe_remote_get( $pagelinkedfrom, $http_api_args ); |
6307 | 6318 | $remote_source = $remote_source_original = wp_remote_retrieve_body( $request ); |
6308 | 6319 | |
… |
… |
class wp_xmlrpc_server extends IXR_Server { |
6320 | 6331 | */ |
6321 | 6332 | $remote_source = apply_filters( 'pre_remote_source', $remote_source, $pagelinkedto ); |
6322 | 6333 | |
| 6334 | // A straight text search of the source |
| 6335 | $verified = strpos( $remote_source, str_replace( array( 'http://www.', 'http://', 'https://www.', 'https://' ), '', untrailingslashit( preg_replace( '/#.*/', '', $pagelinkedto ) ) ) ); |
| 6336 | /** |
| 6337 | * Filter the verification to allow for stricter controls. |
| 6338 | * |
| 6339 | * @since 4.6.0 |
| 6340 | * |
| 6341 | * @param boolean $verified Is the provided URL in the retrieved source? |
| 6342 | * @param string $remote_source Response source for the page linked from. |
| 6343 | * @param string $pagelinkedto URL of the page linked to. |
| 6344 | * @param string $content_type The content type of the remote source. |
| 6345 | */ |
| 6346 | $verified = apply_filters( 'ping_source_verified', $verified, $remote_source, $pagelinkedto, $content_type ); |
| 6347 | if ( ! $verified ) { // Link to target not found |
| 6348 | return $this->pingback_error( 17, __( 'The source URL does not contain a link to the target URL, and so cannot be used as a source.' ) ); |
| 6349 | } |
| 6350 | |
6323 | 6351 | // Work around bug in strip_tags(): |
6324 | 6352 | $remote_source = str_replace( '<!DOC', '<DOC', $remote_source ); |
6325 | 6353 | $remote_source = preg_replace( '/[\r\n\t ]+/', ' ', $remote_source ); // normalize spaces |
… |
… |
class wp_xmlrpc_server extends IXR_Server { |
6382 | 6410 | |
6383 | 6411 | $commentdata = compact( |
6384 | 6412 | 'comment_post_ID', 'comment_author', 'comment_author_url', 'comment_author_email', |
6385 | | 'comment_content', 'comment_type', 'remote_source', 'remote_source_original' |
| 6413 | 'comment_content', 'comment_type', 'remote_source', 'remote_source_original', 'content-type' |
6386 | 6414 | ); |
6387 | 6415 | |
6388 | 6416 | $comment_ID = wp_new_comment($commentdata); |