Make WordPress Core


Ignore:
Timestamp:
06/21/2013 06:07:47 AM (11 years ago)
Author:
nacin
Message:

Better validation of the URL used in core HTTP requests.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-includes/class-oembed.php

    r24470 r24480  
    114114
    115115        // Fetch URL content
    116         if ( $html = wp_remote_retrieve_body( wp_remote_get( $url ) ) ) {
     116        if ( $html = wp_remote_retrieve_body( wp_remote_get( $url, array( 'reject_unsafe_urls' => true ) ) ) ) {
    117117
    118118            // <link> types that contain oEmbed provider URLs
     
    196196    function _fetch_with_format( $provider_url_with_args, $format ) {
    197197        $provider_url_with_args = add_query_arg( 'format', $format, $provider_url_with_args );
    198         $response = wp_remote_get( $provider_url_with_args );
     198        $response = wp_remote_get( $provider_url_with_args, array( 'reject_unsafe_urls' => true ) );
    199199        if ( 501 == wp_remote_retrieve_response_code( $response ) )
    200200            return new WP_Error( 'not-implemented' );
Note: See TracChangeset for help on using the changeset viewer.