Make WordPress Core

Ticket #36766: 36766.diff

File 36766.diff, 2.7 KB (added by dshanske, 9 years ago)
  • src/wp-includes/class-wp-xmlrpc-server.php

    diff --git a/src/wp-includes/class-wp-xmlrpc-server.php b/src/wp-includes/class-wp-xmlrpc-server.php
    index 531dd50..0aafd4f 100644
    a b class wp_xmlrpc_server extends IXR_Server { 
    63036303                        ),
    63046304                );
    63056305
     6306                // Make sure the resource is a valid one before retrieving it
     6307                $request = wp_safe_remote_head( $pagelinkedfrom, $http_api_args );
     6308                $content_type = wp_remote_retrieve_header( $request, 'content-type' );
     6309                if ( is_wp_error( $request ) ) {
     6310                        return $this->pingback_error( 16, __( 'The source URL does not exist.' ) );
     6311                }
     6312                // Protect Against Someone Trying to Make Us Download Media Files
     6313                if ( preg_match( '#(image|audio|video|model)/#is', $content_type ) ) {
     6314                        return $this->pingback_error( 17, __( 'The source URL does not contain a link to the target URL, and so cannot be used as a source.' ) );
     6315                }
     6316
    63066317                $request = wp_safe_remote_get( $pagelinkedfrom, $http_api_args );
    63076318                $remote_source = $remote_source_original = wp_remote_retrieve_body( $request );
    63086319
    class wp_xmlrpc_server extends IXR_Server { 
    63206331                 */
    63216332                $remote_source = apply_filters( 'pre_remote_source', $remote_source, $pagelinkedto );
    63226333
     6334                // A straight text search of the source
     6335                $verified = strpos( $remote_source, str_replace( array( 'http://www.', 'http://', 'https://www.', 'https://' ), '', untrailingslashit( preg_replace( '/#.*/', '', $pagelinkedto ) ) ) );
     6336                /**
     6337                 * Filter the verification to allow for stricter controls.
     6338                 *
     6339                 * @since 4.6.0
     6340                 *
     6341                 * @param boolean $verified Is the provided URL in the retrieved source?
     6342                 * @param string $remote_source Response source for the page linked from.
     6343                 * @param string $pagelinkedto  URL of the page linked to.
     6344                 * @param string $content_type  The content type of the remote source.
     6345                 */
     6346                $verified = apply_filters( 'ping_source_verified', $verified, $remote_source, $pagelinkedto, $content_type );
     6347                if ( ! $verified ) { // Link to target not found
     6348                        return $this->pingback_error( 17, __( 'The source URL does not contain a link to the target URL, and so cannot be used as a source.' ) );
     6349                }
     6350
    63236351                // Work around bug in strip_tags():
    63246352                $remote_source = str_replace( '<!DOC', '<DOC', $remote_source );
    63256353                $remote_source = preg_replace( '/[\r\n\t ]+/', ' ', $remote_source ); // normalize spaces
    class wp_xmlrpc_server extends IXR_Server { 
    63826410
    63836411                $commentdata = compact(
    63846412                        'comment_post_ID', 'comment_author', 'comment_author_url', 'comment_author_email',
    6385                         'comment_content', 'comment_type', 'remote_source', 'remote_source_original'
     6413                        'comment_content', 'comment_type', 'remote_source', 'remote_source_original', 'content-type'
    63866414                );
    63876415
    63886416                $comment_ID = wp_new_comment($commentdata);