WordPress.org

Make WordPress Core

Changeset 23331


Ignore:
Timestamp:
01/22/2013 10:32:59 PM (8 years ago)
Author:
nacin
Message:

Validate pingback source URIs. Less verbose errors.

Location:
branches/3.4/wp-includes
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • branches/3.4/wp-includes/class-wp-xmlrpc-server.php

    r21708 r23331  
    49194919        $pagelinkedto = str_replace('&', '&', $pagelinkedto);
    49204920
     4921        $pagelinkedfrom = apply_filters( 'pingback_ping_source_uri', $pagelinkedfrom, $pagelinkedto );
     4922        if ( ! $pagelinkedfrom )
     4923            return $this->pingback_error( 0, __( 'A valid URL was not provided.' ) );
     4924
    49214925        // Check if the page linked to is in our site
    49224926        $pos1 = strpos($pagelinkedto, str_replace(array('http://www.','http://','https://www.','https://'), '', get_option('home')));
    49234927        if ( !$pos1 )
    4924             return new IXR_Error(0, __('Is there no link to us?'));
     4928            return $this->pingback_error( 0, __( 'Is there no link to us?' ) );
    49254929
    49264930        // let's find which post is linked to
     
    49564960                if (! ($post_ID = $wpdb->get_var($sql)) ) {
    49574961                    // returning unknown error '0' is better than die()ing
    4958                     return new IXR_Error(0, '');
     4962                    return $this->pingback_error( 0, '' );
    49594963                }
    49604964                $way = 'from the fragment (title)';
     
    49624966        } else {
    49634967            // TODO: Attempt to extract a post ID from the given URL
    4964             return new IXR_Error(33, __('The specified target URL cannot be used as a target. It either doesn’t exist, or it is not a pingback-enabled resource.'));
     4968            return $this->pingback_error( 33, __('The specified target URL cannot be used as a target. It either doesn’t exist, or it is not a pingback-enabled resource.' ) );
    49654969        }
    49664970        $post_ID = (int) $post_ID;
     
    49694973
    49704974        if ( !$post ) // Post_ID not found
    4971             return new IXR_Error(33, __('The specified target URL cannot be used as a target. It either doesn’t exist, or it is not a pingback-enabled resource.'));
     4975            return $this->pingback_error( 33, __( 'The specified target URL cannot be used as a target. It either doesn’t exist, or it is not a pingback-enabled resource.' ) );
    49724976
    49734977        if ( $post_ID == url_to_postid($pagelinkedfrom) )
    4974             return new IXR_Error(0, __('The source URL and the target URL cannot both point to the same resource.'));
     4978            return $this->pingback_error( 0, __( 'The source URL and the target URL cannot both point to the same resource.' ) );
    49754979
    49764980        // Check if pings are on
    49774981        if ( !pings_open($post) )
    4978             return new IXR_Error(33, __('The specified target URL cannot be used as a target. It either doesn’t exist, or it is not a pingback-enabled resource.'));
     4982            return $this->pingback_error( 33, __( 'The specified target URL cannot be used as a target. It either doesn’t exist, or it is not a pingback-enabled resource.' ) );
    49794983
    49804984        // Let's check that the remote site didn't already pingback this entry
    49814985        if ( $wpdb->get_results( $wpdb->prepare("SELECT * FROM $wpdb->comments WHERE comment_post_ID = %d AND comment_author_url = %s", $post_ID, $pagelinkedfrom) ) )
    4982             return new IXR_Error( 48, __( 'The pingback has already been registered.' ) );
     4986            return $this->pingback_error( 48, __( 'The pingback has already been registered.' ) );
    49834987
    49844988        // very stupid, but gives time to the 'from' server to publish !
     
    49864990
    49874991        // Let's check the remote site
    4988         $linea = wp_remote_fopen( $pagelinkedfrom );
     4992        $linea = wp_remote_retrieve_body( wp_remote_get( $pagelinkedfrom, array( 'timeout' => 10, 'redirection' => 0 ) ) );
    49894993        if ( !$linea )
    4990             return new IXR_Error(16, __('The source URL does not exist.'));
     4994            return $this->pingback_error( 16, __( 'The source URL does not exist.' ) );
    49914995
    49924996        $linea = apply_filters('pre_remote_source', $linea, $pagelinkedto);
     
    50005004        $title = $matchtitle[1];
    50015005        if ( empty( $title ) )
    5002             return new IXR_Error(32, __('We cannot find a title on that page.'));
     5006            return $this->pingback_error( 32, __('We cannot find a title on that page.' ) );
    50035007
    50045008        $linea = strip_tags( $linea, '<a>' ); // just keep the tag we need
     
    50365040
    50375041        if ( empty($context) ) // Link to target not found
    5038             return new IXR_Error(17, __('The source URL does not contain a link to the target URL, and so cannot be used as a source.'));
     5042            return $this->pingback_error( 17, __( 'The source URL does not contain a link to the target URL, and so cannot be used as a source.' ) );
    50395043
    50405044        $pagelinkedfrom = str_replace('&', '&amp;', $pagelinkedfrom);
     
    50835087        if ( !$post_ID ) {
    50845088            // We aren't sure that the resource is available and/or pingback enabled
    5085             return new IXR_Error(33, __('The specified target URL cannot be used as a target. It either doesn&#8217;t exist, or it is not a pingback-enabled resource.'));
     5089            return $this->pingback_error( 33, __( 'The specified target URL cannot be used as a target. It either doesn&#8217;t exist, or it is not a pingback-enabled resource.' ) );
    50865090        }
    50875091
     
    50905094        if ( !$actual_post ) {
    50915095            // No such post = resource not found
    5092             return new IXR_Error(32, __('The specified target URL does not exist.'));
     5096            return $this->pingback_error( 32, __('The specified target URL does not exist.' ) );
    50935097        }
    50945098
     
    51065110        return $pingbacks;
    51075111    }
     5112
     5113    protected function pingback_error( $code, $message ) {
     5114        return apply_filters( 'xmlrpc_pingback_error', new IXR_Error( $code, $message ) );
     5115    }
    51085116}
  • branches/3.4/wp-includes/comment.php

    r20569 r23331  
    19131913}
    19141914
     1915/**
     1916 * Default filter attached to pingback_ping_source_uri to validate the pingback's Source URI
     1917 *
     1918 * @since 3.5.1
     1919 *
     1920 * @param string $source_uri
     1921 * @return string
     1922 */
     1923function pingback_ping_source_uri( $source_uri ) {
     1924    $uri = esc_url_raw( $source_uri, array( 'http', 'https' ) );
     1925    if ( ! $uri )
     1926        return '';
     1927
     1928    $parsed_url = @parse_url( $uri );
     1929    if ( ! $parsed_url )
     1930        return '';
     1931
     1932    if ( isset( $parsed_url['user'] ) || isset( $parsed_url['pass'] ) )
     1933        return '';
     1934
     1935    if ( false !== strpos( $parsed_url['host'], ':' ) )
     1936        return '';
     1937
     1938    $parsed_home = @parse_url( get_option( 'home' ) );
     1939
     1940    $same_host = strtolower( $parsed_home['host'] ) === strtolower( $parsed_url['host'] );
     1941
     1942    if ( ! $same_host ) {
     1943        $host = trim( $parsed_url['host'], '.' );
     1944        if ( preg_match( '#^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$#', $host ) ) {
     1945            $ip = $host;
     1946        } else {
     1947            $ip = gethostbyname( $host );
     1948            if ( $ip === $host ) // Error condition for gethostbyname()
     1949                $ip = false;
     1950        }
     1951        if ( $ip ) {
     1952            if ( '127.0.0.1' === $ip )
     1953                return '';
     1954            $parts = array_map( 'intval', explode( '.', $ip ) );
     1955            if ( 10 === $parts[0] )
     1956                return '';
     1957            if ( 172 === $parts[0] && 16 <= $parts[1] && 31 >= $parts[1] )
     1958                return '';
     1959            if ( 192 === $parts[0] && 168 === $parts[1] )
     1960                return '';
     1961        }
     1962    }
     1963
     1964    if ( empty( $parsed_url['port'] ) )
     1965        return $uri;
     1966
     1967    $port = $parsed_url['port'];
     1968    if ( 80 === $port || 443 === $port || 8080 === $port )
     1969        return $uri;
     1970
     1971    if ( $parsed_home && $same_host && $parsed_home['port'] === $port )
     1972        return $uri;
     1973
     1974    return '';
     1975}
     1976
     1977/**
     1978 * Default filter attached to xmlrpc_pingback_error.
     1979 *
     1980 * Returns a generic pingback error code unless the error code is 48,
     1981 * which reports that the pingback is already registered.
     1982 *
     1983 * @since 3.5.1
     1984 * @link http://www.hixie.ch/specs/pingback/pingback#TOC3
     1985 *
     1986 * @param IXR_Error $ixr_error
     1987 * @return IXR_Error
     1988 */
     1989function xmlrpc_pingback_error( $ixr_error ) {
     1990    if ( $ixr_error->code === 48 )
     1991        return $ixr_error;
     1992    return new IXR_Error( 0, '' );
     1993}
     1994
    19151995//
    19161996// Cache
  • branches/3.4/wp-includes/default-filters.php

    r21049 r23331  
    193193add_filter( 'editable_slug',            'esc_textarea'                        );
    194194add_filter( 'nav_menu_meta_box_object', '_wp_nav_menu_meta_box_object'        );
     195add_filter( 'pingback_ping_source_uri', 'pingback_ping_source_uri'            );
     196add_filter( 'xmlrpc_pingback_error',    'xmlrpc_pingback_error'               );
    195197
    196198// Actions
Note: See TracChangeset for help on using the changeset viewer.