WordPress.org

Make WordPress Core


Ignore:
Timestamp:
07/31/2013 06:44:57 AM (8 years ago)
Author:
nacin
Message:

Additional checks when evaluating the safety of an HTTP request, to avoid false negatives.

  • Check if the host is considered a safe redirect host.
  • Check if the host is another domain in a multisite installation.
  • Add a filter to control this.

This only occurs when the DNS resolution of a domain points elsewhere in an internal network, but only internally (and has its own public IP outside the network). This could be considered a bad configuration.

fixes #24646.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-includes/ms-default-filters.php

    r21823 r24915  
    6565// If the network upgrade hasn't run yet, assume ms-files.php rewriting is used.
    6666add_filter( 'default_site_option_ms_files_rewriting', '__return_true' );
     67
     68// Whitelist multisite domains for HTTP requests
     69add_filter( 'http_request_host_is_external', 'ms_allowed_http_request_hosts', 20, 2 );
Note: See TracChangeset for help on using the changeset viewer.