Make WordPress Core


Ignore:
Timestamp:
06/21/2013 06:12:17 AM (11 years ago)
Author:
nacin
Message:

Better validation of the URL used in core HTTP requests.

Merges [24480] to the 3.5 branch.

Location:
branches/3.5
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/3.5

  • branches/3.5/wp-includes/class-oembed.php

    r24471 r24481  
    109109
    110110        // Fetch URL content
    111         if ( $html = wp_remote_retrieve_body( wp_remote_get( $url ) ) ) {
     111        if ( $html = wp_remote_retrieve_body( wp_remote_get( $url, array( 'reject_unsafe_urls' => true ) ) ) ) {
    112112
    113113            // <link> types that contain oEmbed provider URLs
     
    191191    function _fetch_with_format( $provider_url_with_args, $format ) {
    192192        $provider_url_with_args = add_query_arg( 'format', $format, $provider_url_with_args );
    193         $response = wp_remote_get( $provider_url_with_args );
     193        $response = wp_remote_get( $provider_url_with_args, array( 'reject_unsafe_urls' => true ) );
    194194        if ( 501 == wp_remote_retrieve_response_code( $response ) )
    195195            return new WP_Error( 'not-implemented' );
Note: See TracChangeset for help on using the changeset viewer.