Changeset 24481 for branches/3.5
- Timestamp:
- 06/21/2013 06:12:17 AM (11 years ago)
- Location:
- branches/3.5
- Files:
-
- 11 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/3.5
-
branches/3.5/wp-admin/includes/class-wp-importer.php
r22108 r24481 184 184 $headers = array(); 185 185 $args = array(); 186 $args['reject_unsafe_urls'] = true; 186 187 if ( true === $head ) 187 188 $args['method'] = 'HEAD'; -
branches/3.5/wp-admin/includes/file.php
r24464 r24481 498 498 return new WP_Error('http_no_file', __('Could not create Temporary file.')); 499 499 500 $response = wp_remote_get( $url, array( 'timeout' => $timeout, 'stream' => true, 'filename' => $tmpfname ) );500 $response = wp_remote_get( $url, array( 'timeout' => $timeout, 'stream' => true, 'filename' => $tmpfname, 'reject_unsafe_urls' => true ) ); 501 501 502 502 if ( is_wp_error( $response ) ) { -
branches/3.5/wp-includes/class-feed.php
r22811 r24481 67 67 68 68 if ( preg_match('/^http(s)?:\/\//i', $url) ) { 69 $args = array( 'timeout' => $this->timeout, 'redirection' => $this->redirects); 69 $args = array( 70 'timeout' => $this->timeout, 71 'redirection' => $this->redirects, 72 'reject_unsafe_urls' => true, 73 ); 70 74 71 75 if ( !empty($this->headers) ) … … 86 90 } 87 91 } else { 88 if ( ! file_exists($url) || ( ! $this->body = file_get_contents($url) ) ) { 89 $this->error = 'file_get_contents could not read the file'; 90 $this->success = false; 91 } 92 $this->error = ''; 93 $this->success = false; 92 94 } 93 95 } -
branches/3.5/wp-includes/class-http.php
r23250 r24481 87 87 'redirection' => apply_filters( 'http_request_redirection_count', 5), 88 88 'httpversion' => apply_filters( 'http_request_version', '1.0'), 89 'user-agent' => apply_filters( 'http_headers_useragent', 'WordPress/' . $wp_version . '; ' . get_bloginfo( 'url' ) ), 89 'user-agent' => apply_filters( 'http_headers_useragent', 'WordPress/' . $wp_version . '; ' . get_bloginfo( 'url' ) ), 90 'reject_unsafe_urls' => apply_filters( 'http_request_reject_unsafe_urls', false ), 90 91 'blocking' => true, 91 92 'headers' => array(), … … 117 118 return $pre; 118 119 119 $arrURL = parse_url( $url ); 120 if ( $r['reject_unsafe_urls'] ) 121 $url = wp_http_validate_url( $url ); 122 $url = wp_kses_bad_protocol( $url, array( 'http', 'https', 'ssl' ) ); 123 124 $arrURL = @parse_url( $url ); 120 125 121 126 if ( empty( $url ) || empty( $arrURL['scheme'] ) ) … … 1089 1094 // bug #17490 with redirected POST requests, so handle redirections outside Curl. 1090 1095 curl_setopt( $handle, CURLOPT_FOLLOWLOCATION, false ); 1096 if ( defined( 'CURLOPT_PROTOCOLS' ) ) // PHP 5.2.10 / cURL 7.19.4 1097 curl_setopt( $handle, CURLOPT_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS ); 1091 1098 1092 1099 switch ( $r['method'] ) { -
branches/3.5/wp-includes/class-oembed.php
r24471 r24481 109 109 110 110 // Fetch URL content 111 if ( $html = wp_remote_retrieve_body( wp_remote_get( $url ) ) ) {111 if ( $html = wp_remote_retrieve_body( wp_remote_get( $url, array( 'reject_unsafe_urls' => true ) ) ) ) { 112 112 113 113 // <link> types that contain oEmbed provider URLs … … 191 191 function _fetch_with_format( $provider_url_with_args, $format ) { 192 192 $provider_url_with_args = add_query_arg( 'format', $format, $provider_url_with_args ); 193 $response = wp_remote_get( $provider_url_with_args );193 $response = wp_remote_get( $provider_url_with_args, array( 'reject_unsafe_urls' => true ) ); 194 194 if ( 501 == wp_remote_retrieve_response_code( $response ) ) 195 195 return new WP_Error( 'not-implemented' ); -
branches/3.5/wp-includes/class-wp-xmlrpc-server.php
r23330 r24481 5381 5381 5382 5382 // Let's check the remote site 5383 $linea = wp_remote_retrieve_body( wp_remote_get( $pagelinkedfrom, array( 'timeout' => 10, 'redirection' => 0 ) ) ); 5383 $linea = wp_remote_retrieve_body( wp_remote_get( $pagelinkedfrom, array( 'timeout' => 10, 'redirection' => 0, 'reject_unsafe_urls' => true ) ) ); 5384 5384 5385 if ( !$linea ) 5385 5386 return $this->pingback_error( 16, __( 'The source URL does not exist.' ) ); -
branches/3.5/wp-includes/comment.php
r23332 r24481 1662 1662 return false; 1663 1663 1664 $response = wp_remote_head( $url, array( 'timeout' => 2, 'httpversion' => '1.0' ) );1664 $response = wp_remote_head( $url, array( 'timeout' => 2, 'httpversion' => '1.0', 'reject_unsafe_urls' => true ) ); 1665 1665 1666 1666 if ( is_wp_error( $response ) ) … … 1675 1675 1676 1676 // Now do a GET since we're going to look in the html headers (and we're sure its not a binary file) 1677 $response = wp_remote_get( $url, array( 'timeout' => 2, 'httpversion' => '1.0' ) );1677 $response = wp_remote_get( $url, array( 'timeout' => 2, 'httpversion' => '1.0', 'reject_unsafe_urls' => true ) ); 1678 1678 1679 1679 if ( is_wp_error( $response ) ) … … 1909 1909 $options = array(); 1910 1910 $options['timeout'] = 4; 1911 $options['reject_unsafe_urls'] = true; 1911 1912 $options['body'] = array( 1912 1913 'title' => $title, … … 1956 1957 * 1957 1958 * @since 3.5.1 1959 * @see wp_http_validate_url() 1958 1960 * 1959 1961 * @param string $source_uri … … 1961 1963 */ 1962 1964 function pingback_ping_source_uri( $source_uri ) { 1963 $uri = esc_url_raw( $source_uri, array( 'http', 'https' ) ); 1964 if ( ! $uri ) 1965 return ''; 1966 1967 $parsed_url = @parse_url( $uri ); 1968 if ( ! $parsed_url ) 1969 return ''; 1970 1971 if ( isset( $parsed_url['user'] ) || isset( $parsed_url['pass'] ) ) 1972 return ''; 1973 1974 if ( false !== strpos( $parsed_url['host'], ':' ) ) 1975 return ''; 1976 1977 $parsed_home = @parse_url( get_option( 'home' ) ); 1978 1979 $same_host = strtolower( $parsed_home['host'] ) === strtolower( $parsed_url['host'] ); 1980 1981 if ( ! $same_host ) { 1982 $host = trim( $parsed_url['host'], '.' ); 1983 if ( preg_match( '#^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$#', $host ) ) { 1984 $ip = $host; 1985 } else { 1986 $ip = gethostbyname( $host ); 1987 if ( $ip === $host ) // Error condition for gethostbyname() 1988 $ip = false; 1989 } 1990 if ( $ip ) { 1991 if ( '127.0.0.1' === $ip ) 1992 return ''; 1993 $parts = array_map( 'intval', explode( '.', $ip ) ); 1994 if ( 10 === $parts[0] ) 1995 return ''; 1996 if ( 172 === $parts[0] && 16 <= $parts[1] && 31 >= $parts[1] ) 1997 return ''; 1998 if ( 192 === $parts[0] && 168 === $parts[1] ) 1999 return ''; 2000 } 2001 } 2002 2003 if ( empty( $parsed_url['port'] ) ) 2004 return $uri; 2005 2006 $port = $parsed_url['port']; 2007 if ( 80 === $port || 443 === $port || 8080 === $port ) 2008 return $uri; 2009 2010 if ( $parsed_home && $same_host && $parsed_home['port'] === $port ) 2011 return $uri; 2012 2013 return ''; 1965 return (string) wp_http_validate_url( $source_uri ); 2014 1966 } 2015 1967 -
branches/3.5/wp-includes/functions.php
r24445 r24481 497 497 $options = array(); 498 498 $options['redirection'] = 5; 499 $options['reject_unsafe_urls'] = true; 499 500 500 501 if ( false == $file_path ) … … 544 545 _deprecated_argument( __FUNCTION__, '2.7' ); 545 546 546 $response = wp_remote_head( $url );547 $response = wp_remote_head( $url, array( 'reject_unsafe_urls' => true ) ); 547 548 548 549 if ( is_wp_error( $response ) ) … … 759 760 $options = array(); 760 761 $options['timeout'] = 10; 762 $options['reject_unsafe_urls'] = true; 761 763 762 764 $response = wp_remote_get( $uri, $options ); -
branches/3.5/wp-includes/http.php
r21988 r24481 312 312 return false; 313 313 } 314 315 /** 316 * Validate a URL for safe use in the HTTP API. 317 * 318 * @since 3.5.2 319 * 320 * @return mixed URL or false on failure. 321 */ 322 function wp_http_validate_url( $url ) { 323 $url = esc_url_raw( $url, array( 'http', 'https' ) ); 324 if ( ! $url ) 325 return false; 326 327 $parsed_url = @parse_url( $url ); 328 if ( ! $parsed_url ) 329 return false; 330 331 if ( isset( $parsed_url['user'] ) || isset( $parsed_url['pass'] ) ) 332 return false; 333 334 if ( false !== strpos( $parsed_url['host'], ':' ) ) 335 return false; 336 337 $parsed_home = @parse_url( get_option( 'home' ) ); 338 339 $same_host = strtolower( $parsed_home['host'] ) === strtolower( $parsed_url['host'] ); 340 341 if ( ! $same_host ) { 342 $host = trim( $parsed_url['host'], '.' ); 343 if ( preg_match( '#^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$#', $host ) ) { 344 $ip = $host; 345 } else { 346 $ip = gethostbyname( $host ); 347 if ( $ip === $host ) // Error condition for gethostbyname() 348 $ip = false; 349 } 350 if ( $ip ) { 351 if ( '127.0.0.1' === $ip ) 352 return false; 353 $parts = array_map( 'intval', explode( '.', $ip ) ); 354 if ( 10 === $parts[0] ) 355 return false; 356 if ( 172 === $parts[0] && 16 <= $parts[1] && 31 >= $parts[1] ) 357 return false; 358 if ( 192 === $parts[0] && 168 === $parts[1] ) 359 return false; 360 } 361 } 362 363 if ( empty( $parsed_url['port'] ) ) 364 return $url; 365 366 $port = $parsed_url['port']; 367 if ( 80 === $port || 443 === $port || 8080 === $port ) 368 return $url; 369 370 if ( $parsed_home && $same_host && $parsed_home['port'] === $port ) 371 return $url; 372 373 return false; 374 } -
branches/3.5/wp-includes/rss.php
r19712 r24481 537 537 */ 538 538 function _fetch_remote_file($url, $headers = "" ) { 539 $resp = wp_remote_request($url, array('headers' => $headers, 'timeout' => MAGPIE_FETCH_TIME_OUT ));539 $resp = wp_remote_request($url, array('headers' => $headers, 'timeout' => MAGPIE_FETCH_TIME_OUT, 'reject_unsafe_urls' => true )); 540 540 if ( is_wp_error($resp) ) { 541 541 $error = array_shift($resp->errors);
Note: See TracChangeset
for help on using the changeset viewer.