WordPress.org

Make WordPress Core

Changeset 23330


Ignore:
Timestamp:
01/22/13 22:32:06 (15 months ago)
Author:
nacin
Message:

Validate pingback source URIs. Less verbose errors.

Location:
branches/3.5/wp-includes
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • branches/3.5/wp-includes/class-wp-xmlrpc-server.php

    r22914 r23330  
    53105310        $pagelinkedto = str_replace('&', '&', $pagelinkedto); 
    53115311 
     5312        $pagelinkedfrom = apply_filters( 'pingback_ping_source_uri', $pagelinkedfrom, $pagelinkedto ); 
     5313        if ( ! $pagelinkedfrom ) 
     5314            return $this->pingback_error( 0, __( 'A valid URL was not provided.' ) ); 
     5315 
    53125316        // Check if the page linked to is in our site 
    53135317        $pos1 = strpos($pagelinkedto, str_replace(array('http://www.','http://','https://www.','https://'), '', get_option('home'))); 
    53145318        if ( !$pos1 ) 
    5315             return new IXR_Error(0, __('Is there no link to us?')); 
     5319            return $this->pingback_error( 0, __( 'Is there no link to us?' ) ); 
    53165320 
    53175321        // let's find which post is linked to 
     
    53475351                if (! ($post_ID = $wpdb->get_var($sql)) ) { 
    53485352                    // returning unknown error '0' is better than die()ing 
    5349                     return new IXR_Error(0, ''); 
     5353                    return $this->pingback_error( 0, '' ); 
    53505354                } 
    53515355                $way = 'from the fragment (title)'; 
     
    53535357        } else { 
    53545358            // TODO: Attempt to extract a post ID from the given URL 
    5355             return new IXR_Error(33, __('The specified target URL cannot be used as a target. It either doesn’t exist, or it is not a pingback-enabled resource.')); 
     5359            return $this->pingback_error( 33, __('The specified target URL cannot be used as a target. It either doesn’t exist, or it is not a pingback-enabled resource.' ) ); 
    53565360        } 
    53575361        $post_ID = (int) $post_ID; 
     
    53605364 
    53615365        if ( !$post ) // Post_ID not found 
    5362             return new IXR_Error(33, __('The specified target URL cannot be used as a target. It either doesn’t exist, or it is not a pingback-enabled resource.')); 
     5366            return $this->pingback_error( 33, __( 'The specified target URL cannot be used as a target. It either doesn’t exist, or it is not a pingback-enabled resource.' ) ); 
    53635367 
    53645368        if ( $post_ID == url_to_postid($pagelinkedfrom) ) 
    5365             return new IXR_Error(0, __('The source URL and the target URL cannot both point to the same resource.')); 
     5369            return $this->pingback_error( 0, __( 'The source URL and the target URL cannot both point to the same resource.' ) ); 
    53665370 
    53675371        // Check if pings are on 
    53685372        if ( !pings_open($post) ) 
    5369             return new IXR_Error(33, __('The specified target URL cannot be used as a target. It either doesn’t exist, or it is not a pingback-enabled resource.')); 
     5373            return $this->pingback_error( 33, __( 'The specified target URL cannot be used as a target. It either doesn’t exist, or it is not a pingback-enabled resource.' ) ); 
    53705374 
    53715375        // Let's check that the remote site didn't already pingback this entry 
    53725376        if ( $wpdb->get_results( $wpdb->prepare("SELECT * FROM $wpdb->comments WHERE comment_post_ID = %d AND comment_author_url = %s", $post_ID, $pagelinkedfrom) ) ) 
    5373             return new IXR_Error( 48, __( 'The pingback has already been registered.' ) ); 
     5377            return $this->pingback_error( 48, __( 'The pingback has already been registered.' ) ); 
    53745378 
    53755379        // very stupid, but gives time to the 'from' server to publish ! 
     
    53775381 
    53785382        // Let's check the remote site 
    5379         $linea = wp_remote_fopen( $pagelinkedfrom ); 
     5383        $linea = wp_remote_retrieve_body( wp_remote_get( $pagelinkedfrom, array( 'timeout' => 10, 'redirection' => 0 ) ) ); 
    53805384        if ( !$linea ) 
    5381             return new IXR_Error(16, __('The source URL does not exist.')); 
     5385            return $this->pingback_error( 16, __( 'The source URL does not exist.' ) ); 
    53825386 
    53835387        $linea = apply_filters('pre_remote_source', $linea, $pagelinkedto); 
     
    53915395        $title = $matchtitle[1]; 
    53925396        if ( empty( $title ) ) 
    5393             return new IXR_Error(32, __('We cannot find a title on that page.')); 
     5397            return $this->pingback_error( 32, __('We cannot find a title on that page.' ) ); 
    53945398 
    53955399        $linea = strip_tags( $linea, '<a>' ); // just keep the tag we need 
     
    54275431 
    54285432        if ( empty($context) ) // Link to target not found 
    5429             return new IXR_Error(17, __('The source URL does not contain a link to the target URL, and so cannot be used as a source.')); 
     5433            return $this->pingback_error( 17, __( 'The source URL does not contain a link to the target URL, and so cannot be used as a source.' ) ); 
    54305434 
    54315435        $pagelinkedfrom = str_replace('&', '&amp;', $pagelinkedfrom); 
     
    54745478        if ( !$post_ID ) { 
    54755479            // We aren't sure that the resource is available and/or pingback enabled 
    5476             return new IXR_Error(33, __('The specified target URL cannot be used as a target. It either doesn&#8217;t exist, or it is not a pingback-enabled resource.')); 
     5480            return $this->pingback_error( 33, __( 'The specified target URL cannot be used as a target. It either doesn&#8217;t exist, or it is not a pingback-enabled resource.' ) ); 
    54775481        } 
    54785482 
     
    54815485        if ( !$actual_post ) { 
    54825486            // No such post = resource not found 
    5483             return new IXR_Error(32, __('The specified target URL does not exist.')); 
     5487            return $this->pingback_error( 32, __('The specified target URL does not exist.' ) ); 
    54845488        } 
    54855489 
     
    54975501        return $pingbacks; 
    54985502    } 
     5503 
     5504    protected function pingback_error( $code, $message ) { 
     5505        return apply_filters( 'xmlrpc_pingback_error', new IXR_Error( $code, $message ) ); 
     5506    } 
    54995507} 
  • branches/3.5/wp-includes/comment.php

    r22229 r23330  
    19521952} 
    19531953 
     1954/** 
     1955 * Default filter attached to pingback_ping_source_uri to validate the pingback's Source URI 
     1956 * 
     1957 * @since 3.5.1 
     1958 * 
     1959 * @param string $source_uri 
     1960 * @return string 
     1961 */ 
     1962function pingback_ping_source_uri( $source_uri ) { 
     1963    $uri = esc_url_raw( $source_uri, array( 'http', 'https' ) ); 
     1964    if ( ! $uri ) 
     1965        return ''; 
     1966 
     1967    $parsed_url = @parse_url( $uri ); 
     1968    if ( ! $parsed_url ) 
     1969        return ''; 
     1970 
     1971    if ( isset( $parsed_url['user'] ) || isset( $parsed_url['pass'] ) ) 
     1972        return ''; 
     1973 
     1974    if ( false !== strpos( $parsed_url['host'], ':' ) ) 
     1975        return ''; 
     1976 
     1977    $parsed_home = @parse_url( get_option( 'home' ) ); 
     1978 
     1979    $same_host = strtolower( $parsed_home['host'] ) === strtolower( $parsed_url['host'] ); 
     1980 
     1981    if ( ! $same_host ) { 
     1982        $host = trim( $parsed_url['host'], '.' ); 
     1983        if ( preg_match( '#^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$#', $host ) ) { 
     1984            $ip = $host; 
     1985        } else { 
     1986            $ip = gethostbyname( $host ); 
     1987            if ( $ip === $host ) // Error condition for gethostbyname() 
     1988                $ip = false; 
     1989        } 
     1990        if ( $ip ) { 
     1991            if ( '127.0.0.1' === $ip ) 
     1992                return ''; 
     1993            $parts = array_map( 'intval', explode( '.', $ip ) ); 
     1994            if ( 10 === $parts[0] ) 
     1995                return ''; 
     1996            if ( 172 === $parts[0] && 16 <= $parts[1] && 31 >= $parts[1] ) 
     1997                return ''; 
     1998            if ( 192 === $parts[0] && 168 === $parts[1] ) 
     1999                return ''; 
     2000        } 
     2001    } 
     2002 
     2003    if ( empty( $parsed_url['port'] ) ) 
     2004        return $uri; 
     2005 
     2006    $port = $parsed_url['port']; 
     2007    if ( 80 === $port || 443 === $port || 8080 === $port ) 
     2008        return $uri; 
     2009 
     2010    if ( $parsed_home && $same_host && $parsed_home['port'] === $port ) 
     2011        return $uri; 
     2012 
     2013    return ''; 
     2014} 
     2015 
     2016/** 
     2017 * Default filter attached to xmlrpc_pingback_error. 
     2018 * 
     2019 * Returns a generic pingback error code unless the error code is 48, 
     2020 * which reports that the pingback is already registered. 
     2021 * 
     2022 * @since 3.5.1 
     2023 * @link http://www.hixie.ch/specs/pingback/pingback#TOC3 
     2024 * 
     2025 * @param IXR_Error $ixr_error 
     2026 * @return IXR_Error 
     2027 */ 
     2028function xmlrpc_pingback_error( $ixr_error ) { 
     2029    if ( $ixr_error->code === 48 ) 
     2030        return $ixr_error; 
     2031    return new IXR_Error( 0, '' ); 
     2032} 
     2033 
    19542034// 
    19552035// Cache 
  • branches/3.5/wp-includes/default-filters.php

    r22070 r23330  
    193193add_filter( 'editable_slug',            'esc_textarea'                        ); 
    194194add_filter( 'nav_menu_meta_box_object', '_wp_nav_menu_meta_box_object'        ); 
     195add_filter( 'pingback_ping_source_uri', 'pingback_ping_source_uri'            ); 
     196add_filter( 'xmlrpc_pingback_error',    'xmlrpc_pingback_error'               ); 
    195197 
    196198// Actions 
Note: See TracChangeset for help on using the changeset viewer.