Make WordPress Core

Changeset 23330


Ignore:
Timestamp:
01/22/2013 10:32:06 PM (12 years ago)
Author:
nacin
Message:

Validate pingback source URIs. Less verbose errors.

Location:
branches/3.5/wp-includes
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • branches/3.5/wp-includes/class-wp-xmlrpc-server.php

    r22914 r23330  
    53105310        $pagelinkedto = str_replace('&', '&', $pagelinkedto);
    53115311
     5312        $pagelinkedfrom = apply_filters( 'pingback_ping_source_uri', $pagelinkedfrom, $pagelinkedto );
     5313        if ( ! $pagelinkedfrom )
     5314            return $this->pingback_error( 0, __( 'A valid URL was not provided.' ) );
     5315
    53125316        // Check if the page linked to is in our site
    53135317        $pos1 = strpos($pagelinkedto, str_replace(array('http://www.','http://','https://www.','https://'), '', get_option('home')));
    53145318        if ( !$pos1 )
    5315             return new IXR_Error(0, __('Is there no link to us?'));
     5319            return $this->pingback_error( 0, __( 'Is there no link to us?' ) );
    53165320
    53175321        // let's find which post is linked to
     
    53475351                if (! ($post_ID = $wpdb->get_var($sql)) ) {
    53485352                    // returning unknown error '0' is better than die()ing
    5349                     return new IXR_Error(0, '');
     5353                    return $this->pingback_error( 0, '' );
    53505354                }
    53515355                $way = 'from the fragment (title)';
     
    53535357        } else {
    53545358            // TODO: Attempt to extract a post ID from the given URL
    5355             return new IXR_Error(33, __('The specified target URL cannot be used as a target. It either doesn’t exist, or it is not a pingback-enabled resource.'));
     5359            return $this->pingback_error( 33, __('The specified target URL cannot be used as a target. It either doesn’t exist, or it is not a pingback-enabled resource.' ) );
    53565360        }
    53575361        $post_ID = (int) $post_ID;
     
    53605364
    53615365        if ( !$post ) // Post_ID not found
    5362             return new IXR_Error(33, __('The specified target URL cannot be used as a target. It either doesn’t exist, or it is not a pingback-enabled resource.'));
     5366            return $this->pingback_error( 33, __( 'The specified target URL cannot be used as a target. It either doesn’t exist, or it is not a pingback-enabled resource.' ) );
    53635367
    53645368        if ( $post_ID == url_to_postid($pagelinkedfrom) )
    5365             return new IXR_Error(0, __('The source URL and the target URL cannot both point to the same resource.'));
     5369            return $this->pingback_error( 0, __( 'The source URL and the target URL cannot both point to the same resource.' ) );
    53665370
    53675371        // Check if pings are on
    53685372        if ( !pings_open($post) )
    5369             return new IXR_Error(33, __('The specified target URL cannot be used as a target. It either doesn’t exist, or it is not a pingback-enabled resource.'));
     5373            return $this->pingback_error( 33, __( 'The specified target URL cannot be used as a target. It either doesn’t exist, or it is not a pingback-enabled resource.' ) );
    53705374
    53715375        // Let's check that the remote site didn't already pingback this entry
    53725376        if ( $wpdb->get_results( $wpdb->prepare("SELECT * FROM $wpdb->comments WHERE comment_post_ID = %d AND comment_author_url = %s", $post_ID, $pagelinkedfrom) ) )
    5373             return new IXR_Error( 48, __( 'The pingback has already been registered.' ) );
     5377            return $this->pingback_error( 48, __( 'The pingback has already been registered.' ) );
    53745378
    53755379        // very stupid, but gives time to the 'from' server to publish !
     
    53775381
    53785382        // Let's check the remote site
    5379         $linea = wp_remote_fopen( $pagelinkedfrom );
     5383        $linea = wp_remote_retrieve_body( wp_remote_get( $pagelinkedfrom, array( 'timeout' => 10, 'redirection' => 0 ) ) );
    53805384        if ( !$linea )
    5381             return new IXR_Error(16, __('The source URL does not exist.'));
     5385            return $this->pingback_error( 16, __( 'The source URL does not exist.' ) );
    53825386
    53835387        $linea = apply_filters('pre_remote_source', $linea, $pagelinkedto);
     
    53915395        $title = $matchtitle[1];
    53925396        if ( empty( $title ) )
    5393             return new IXR_Error(32, __('We cannot find a title on that page.'));
     5397            return $this->pingback_error( 32, __('We cannot find a title on that page.' ) );
    53945398
    53955399        $linea = strip_tags( $linea, '<a>' ); // just keep the tag we need
     
    54275431
    54285432        if ( empty($context) ) // Link to target not found
    5429             return new IXR_Error(17, __('The source URL does not contain a link to the target URL, and so cannot be used as a source.'));
     5433            return $this->pingback_error( 17, __( 'The source URL does not contain a link to the target URL, and so cannot be used as a source.' ) );
    54305434
    54315435        $pagelinkedfrom = str_replace('&', '&amp;', $pagelinkedfrom);
     
    54745478        if ( !$post_ID ) {
    54755479            // We aren't sure that the resource is available and/or pingback enabled
    5476             return new IXR_Error(33, __('The specified target URL cannot be used as a target. It either doesn&#8217;t exist, or it is not a pingback-enabled resource.'));
     5480            return $this->pingback_error( 33, __( 'The specified target URL cannot be used as a target. It either doesn&#8217;t exist, or it is not a pingback-enabled resource.' ) );
    54775481        }
    54785482
     
    54815485        if ( !$actual_post ) {
    54825486            // No such post = resource not found
    5483             return new IXR_Error(32, __('The specified target URL does not exist.'));
     5487            return $this->pingback_error( 32, __('The specified target URL does not exist.' ) );
    54845488        }
    54855489
     
    54975501        return $pingbacks;
    54985502    }
     5503
     5504    protected function pingback_error( $code, $message ) {
     5505        return apply_filters( 'xmlrpc_pingback_error', new IXR_Error( $code, $message ) );
     5506    }
    54995507}
  • branches/3.5/wp-includes/comment.php

    r22229 r23330  
    19521952}
    19531953
     1954/**
     1955 * Default filter attached to pingback_ping_source_uri to validate the pingback's Source URI
     1956 *
     1957 * @since 3.5.1
     1958 *
     1959 * @param string $source_uri
     1960 * @return string
     1961 */
     1962function pingback_ping_source_uri( $source_uri ) {
     1963    $uri = esc_url_raw( $source_uri, array( 'http', 'https' ) );
     1964    if ( ! $uri )
     1965        return '';
     1966
     1967    $parsed_url = @parse_url( $uri );
     1968    if ( ! $parsed_url )
     1969        return '';
     1970
     1971    if ( isset( $parsed_url['user'] ) || isset( $parsed_url['pass'] ) )
     1972        return '';
     1973
     1974    if ( false !== strpos( $parsed_url['host'], ':' ) )
     1975        return '';
     1976
     1977    $parsed_home = @parse_url( get_option( 'home' ) );
     1978
     1979    $same_host = strtolower( $parsed_home['host'] ) === strtolower( $parsed_url['host'] );
     1980
     1981    if ( ! $same_host ) {
     1982        $host = trim( $parsed_url['host'], '.' );
     1983        if ( preg_match( '#^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$#', $host ) ) {
     1984            $ip = $host;
     1985        } else {
     1986            $ip = gethostbyname( $host );
     1987            if ( $ip === $host ) // Error condition for gethostbyname()
     1988                $ip = false;
     1989        }
     1990        if ( $ip ) {
     1991            if ( '127.0.0.1' === $ip )
     1992                return '';
     1993            $parts = array_map( 'intval', explode( '.', $ip ) );
     1994            if ( 10 === $parts[0] )
     1995                return '';
     1996            if ( 172 === $parts[0] && 16 <= $parts[1] && 31 >= $parts[1] )
     1997                return '';
     1998            if ( 192 === $parts[0] && 168 === $parts[1] )
     1999                return '';
     2000        }
     2001    }
     2002
     2003    if ( empty( $parsed_url['port'] ) )
     2004        return $uri;
     2005
     2006    $port = $parsed_url['port'];
     2007    if ( 80 === $port || 443 === $port || 8080 === $port )
     2008        return $uri;
     2009
     2010    if ( $parsed_home && $same_host && $parsed_home['port'] === $port )
     2011        return $uri;
     2012
     2013    return '';
     2014}
     2015
     2016/**
     2017 * Default filter attached to xmlrpc_pingback_error.
     2018 *
     2019 * Returns a generic pingback error code unless the error code is 48,
     2020 * which reports that the pingback is already registered.
     2021 *
     2022 * @since 3.5.1
     2023 * @link http://www.hixie.ch/specs/pingback/pingback#TOC3
     2024 *
     2025 * @param IXR_Error $ixr_error
     2026 * @return IXR_Error
     2027 */
     2028function xmlrpc_pingback_error( $ixr_error ) {
     2029    if ( $ixr_error->code === 48 )
     2030        return $ixr_error;
     2031    return new IXR_Error( 0, '' );
     2032}
     2033
    19542034//
    19552035// Cache
  • branches/3.5/wp-includes/default-filters.php

    r22070 r23330  
    193193add_filter( 'editable_slug',            'esc_textarea'                        );
    194194add_filter( 'nav_menu_meta_box_object', '_wp_nav_menu_meta_box_object'        );
     195add_filter( 'pingback_ping_source_uri', 'pingback_ping_source_uri'            );
     196add_filter( 'xmlrpc_pingback_error',    'xmlrpc_pingback_error'               );
    195197
    196198// Actions
Note: See TracChangeset for help on using the changeset viewer.