WordPress.org

Make WordPress Core

Changeset 30444


Ignore:
Timestamp:
11/20/2014 02:00:56 PM (5 years ago)
Author:
nacin
Message:

Better validation of the URL used in core HTTP requests.

Merges [30443] to the 4.0 branch.

Location:
branches/4.0
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/4.0

  • branches/4.0/src/wp-includes/http.php

    r29230 r30444  
    445445 */
    446446function wp_http_validate_url( $url ) {
     447    $original_url = $url;
    447448    $url = wp_kses_bad_protocol( $url, array( 'http', 'https' ) );
    448     if ( ! $url )
     449    if ( ! $url || strtolower( $url ) !== strtolower( $original_url ) )
    449450        return false;
    450451
     
    456457        return false;
    457458
    458     if ( false !== strpos( $parsed_url['host'], ':' ) )
     459    if ( false !== strpbrk( $parsed_url['host'], ':#?[]' ) )
    459460        return false;
    460461
     
    474475        if ( $ip ) {
    475476            $parts = array_map( 'intval', explode( '.', $ip ) );
    476             if ( '127.0.0.1' === $ip
    477                 || ( 10 === $parts[0] )
     477            if ( 127 === $parts[0] || 10 === $parts[0]
    478478                || ( 172 === $parts[0] && 16 <= $parts[1] && 31 >= $parts[1] )
    479479                || ( 192 === $parts[0] && 168 === $parts[1] )
Note: See TracChangeset for help on using the changeset viewer.