Make WordPress Core


Ignore:
Timestamp:
06/21/2013 06:12:17 AM (11 years ago)
Author:
nacin
Message:

Better validation of the URL used in core HTTP requests.

Merges [24480] to the 3.5 branch.

Location:
branches/3.5
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/3.5

  • branches/3.5/wp-includes/class-http.php

    r23250 r24481  
    8787            'redirection' => apply_filters( 'http_request_redirection_count', 5),
    8888            'httpversion' => apply_filters( 'http_request_version', '1.0'),
    89             'user-agent' => apply_filters( 'http_headers_useragent', 'WordPress/' . $wp_version . '; ' . get_bloginfo( 'url' )  ),
     89            'user-agent' => apply_filters( 'http_headers_useragent', 'WordPress/' . $wp_version . '; ' . get_bloginfo( 'url' ) ),
     90            'reject_unsafe_urls' => apply_filters( 'http_request_reject_unsafe_urls', false ),
    9091            'blocking' => true,
    9192            'headers' => array(),
     
    117118            return $pre;
    118119
    119         $arrURL = parse_url( $url );
     120        if ( $r['reject_unsafe_urls'] )
     121            $url = wp_http_validate_url( $url );
     122        $url = wp_kses_bad_protocol( $url, array( 'http', 'https', 'ssl' ) );
     123
     124        $arrURL = @parse_url( $url );
    120125
    121126        if ( empty( $url ) || empty( $arrURL['scheme'] ) )
     
    10891094        // bug #17490 with redirected POST requests, so handle redirections outside Curl.
    10901095        curl_setopt( $handle, CURLOPT_FOLLOWLOCATION, false );
     1096        if ( defined( 'CURLOPT_PROTOCOLS' ) ) // PHP 5.2.10 / cURL 7.19.4
     1097            curl_setopt( $handle, CURLOPT_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS );
    10911098
    10921099        switch ( $r['method'] ) {
Note: See TracChangeset for help on using the changeset viewer.