Make WordPress Core


Ignore:
Timestamp:
06/21/2013 06:07:47 AM (9 years ago)
Author:
nacin
Message:

Better validation of the URL used in core HTTP requests.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-includes/class-http.php

    r24303 r24480  
    8787            'redirection' => apply_filters( 'http_request_redirection_count', 5),
    8888            'httpversion' => apply_filters( 'http_request_version', '1.0'),
    89             'user-agent' => apply_filters( 'http_headers_useragent', 'WordPress/' . $wp_version . '; ' . get_bloginfo( 'url' )  ),
     89            'user-agent' => apply_filters( 'http_headers_useragent', 'WordPress/' . $wp_version . '; ' . get_bloginfo( 'url' ) ),
     90            'reject_unsafe_urls' => apply_filters( 'http_request_reject_unsafe_urls', false ),
    9091            'blocking' => true,
    9192            'headers' => array(),
     
    119120            return $pre;
    120121
    121         $arrURL = parse_url( $url );
     122        if ( $r['reject_unsafe_urls'] )
     123            $url = wp_http_validate_url( $url );
     124        $url = wp_kses_bad_protocol( $url, array( 'http', 'https', 'ssl' ) );
     125
     126        $arrURL = @parse_url( $url );
    122127
    123128        if ( empty( $url ) || empty( $arrURL['scheme'] ) )
     
    11471152        // bug #17490 with redirected POST requests, so handle redirections outside Curl.
    11481153        curl_setopt( $handle, CURLOPT_FOLLOWLOCATION, false );
     1154        if ( defined( 'CURLOPT_PROTOCOLS' ) ) // PHP 5.2.10 / cURL 7.19.4
     1155            curl_setopt( $handle, CURLOPT_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS );
    11491156
    11501157        switch ( $r['method'] ) {
Note: See TracChangeset for help on using the changeset viewer.