Changeset 24480 for trunk/wp-includes/class-http.php

Timestamp:

06/21/2013 06:07:47 AM (12 years ago)

Author:

nacin

Message:

Better validation of the URL used in core HTTP requests.

File:

• trunk/wp-includes/class-http.php (modified) (3 diffs)

trunk/wp-includes/class-http.php

@@ -87 +87 @@
             'redirection' => apply_filters( 'http_request_redirection_count', 5),
             'httpversion' => apply_filters( 'http_request_version', '1.0'),
-            'user-agent' => apply_filters( 'http_headers_useragent', 'WordPress/' . $wp_version . '; ' . get_bloginfo( 'url' )  ),
+            'user-agent' => apply_filters( 'http_headers_useragent', 'WordPress/' . $wp_version . '; ' . get_bloginfo( 'url' ) ),
+            'reject_unsafe_urls' => apply_filters( 'http_request_reject_unsafe_urls', false ),
             'blocking' => true,
             'headers' => array(),
@@ -119 +120 @@
             return $pre;
 
-        $arrURL = parse_url( $url );
+        if ( $r['reject_unsafe_urls'] )
+            $url = wp_http_validate_url( $url );
+        $url = wp_kses_bad_protocol( $url, array( 'http', 'https', 'ssl' ) );
+
+        $arrURL = @parse_url( $url );
 
         if ( empty( $url ) || empty( $arrURL['scheme'] ) )
@@ -1147 +1152 @@
         // bug #17490 with redirected POST requests, so handle redirections outside Curl.
         curl_setopt( $handle, CURLOPT_FOLLOWLOCATION, false );
+        if ( defined( 'CURLOPT_PROTOCOLS' ) ) // PHP 5.2.10 / cURL 7.19.4
+            curl_setopt( $handle, CURLOPT_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS );
 
         switch ( $r['method'] ) {