Make WordPress Core


Ignore:
Timestamp:
06/21/2013 06:12:17 AM (11 years ago)
Author:
nacin
Message:

Better validation of the URL used in core HTTP requests.

Merges [24480] to the 3.5 branch.

Location:
branches/3.5
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/3.5

  • branches/3.5/wp-includes/comment.php

    r23332 r24481  
    16621662        return false;
    16631663
    1664     $response = wp_remote_head( $url, array( 'timeout' => 2, 'httpversion' => '1.0' ) );
     1664    $response = wp_remote_head( $url, array( 'timeout' => 2, 'httpversion' => '1.0', 'reject_unsafe_urls' => true ) );
    16651665
    16661666    if ( is_wp_error( $response ) )
     
    16751675
    16761676    // Now do a GET since we're going to look in the html headers (and we're sure its not a binary file)
    1677     $response = wp_remote_get( $url, array( 'timeout' => 2, 'httpversion' => '1.0' ) );
     1677    $response = wp_remote_get( $url, array( 'timeout' => 2, 'httpversion' => '1.0', 'reject_unsafe_urls' => true ) );
    16781678
    16791679    if ( is_wp_error( $response ) )
     
    19091909    $options = array();
    19101910    $options['timeout'] = 4;
     1911    $options['reject_unsafe_urls'] = true;
    19111912    $options['body'] = array(
    19121913        'title' => $title,
     
    19561957 *
    19571958 * @since 3.5.1
     1959 * @see wp_http_validate_url()
    19581960 *
    19591961 * @param string $source_uri
     
    19611963 */
    19621964function pingback_ping_source_uri( $source_uri ) {
    1963     $uri = esc_url_raw( $source_uri, array( 'http', 'https' ) );
    1964     if ( ! $uri )
    1965         return '';
    1966 
    1967     $parsed_url = @parse_url( $uri );
    1968     if ( ! $parsed_url )
    1969         return '';
    1970 
    1971     if ( isset( $parsed_url['user'] ) || isset( $parsed_url['pass'] ) )
    1972         return '';
    1973 
    1974     if ( false !== strpos( $parsed_url['host'], ':' ) )
    1975         return '';
    1976 
    1977     $parsed_home = @parse_url( get_option( 'home' ) );
    1978 
    1979     $same_host = strtolower( $parsed_home['host'] ) === strtolower( $parsed_url['host'] );
    1980 
    1981     if ( ! $same_host ) {
    1982         $host = trim( $parsed_url['host'], '.' );
    1983         if ( preg_match( '#^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$#', $host ) ) {
    1984             $ip = $host;
    1985         } else {
    1986             $ip = gethostbyname( $host );
    1987             if ( $ip === $host ) // Error condition for gethostbyname()
    1988                 $ip = false;
    1989         }
    1990         if ( $ip ) {
    1991             if ( '127.0.0.1' === $ip )
    1992                 return '';
    1993             $parts = array_map( 'intval', explode( '.', $ip ) );
    1994             if ( 10 === $parts[0] )
    1995                 return '';
    1996             if ( 172 === $parts[0] && 16 <= $parts[1] && 31 >= $parts[1] )
    1997                 return '';
    1998             if ( 192 === $parts[0] && 168 === $parts[1] )
    1999                 return '';
    2000         }
    2001     }
    2002 
    2003     if ( empty( $parsed_url['port'] ) )
    2004         return $uri;
    2005 
    2006     $port = $parsed_url['port'];
    2007     if ( 80 === $port || 443 === $port || 8080 === $port )
    2008         return $uri;
    2009 
    2010     if ( $parsed_home && $same_host && $parsed_home['port'] === $port )
    2011         return $uri;
    2012 
    2013     return '';
     1965    return (string) wp_http_validate_url( $source_uri );
    20141966}
    20151967
Note: See TracChangeset for help on using the changeset viewer.