Make WordPress Core

Changeset 58384


Ignore:
Timestamp:
06/11/2024 07:07:35 AM (5 weeks ago)
Author:
audrasjb
Message:

Docs: Improve wp_remote_safe_* and wp_http_validate_url docblocks.

Props benjaminpick, audrasjb.
Fixes #61092.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/http.php

    r56352 r58384  
    3131 *
    3232 * This function is ideal when the HTTP request is being made to an arbitrary
    33  * URL. The URL is validated to avoid redirection and request forgery attacks.
     33 * URL. The URL, and every URL it redirects to, are validated with wp_http_validate_url()
     34 * to avoid Server Side Request Forgery attacks (SSRF).
    3435 *
    3536 * @since 3.6.0
     
    3738 * @see wp_remote_request() For more information on the response array format.
    3839 * @see WP_Http::request() For default arguments information.
    39  *
     40 * @see wp_http_validate_url() For more information about how the URL is validated.
     41 *
     42 * @link https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
     43 *
    4044 * @param string $url  URL to retrieve.
    4145 * @param array  $args Optional. Request arguments. Default empty array.
     
    5357 *
    5458 * This function is ideal when the HTTP request is being made to an arbitrary
    55  * URL. The URL is validated to avoid redirection and request forgery attacks.
     59 * URL. The URL, and every URL it redirects to, are validated with wp_http_validate_url()
     60 * to avoid Server Side Request Forgery attacks (SSRF).
    5661 *
    5762 * @since 3.6.0
     
    5964 * @see wp_remote_request() For more information on the response array format.
    6065 * @see WP_Http::request() For default arguments information.
     66 * @see wp_http_validate_url() For more information about how the URL is validated.
     67 *
     68 * @link https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
    6169 *
    6270 * @param string $url  URL to retrieve.
     
    7583 *
    7684 * This function is ideal when the HTTP request is being made to an arbitrary
    77  * URL. The URL is validated to avoid redirection and request forgery attacks.
     85 * URL. The URL, and every URL it redirects to, are validated with wp_http_validate_url()
     86 * to avoid Server Side Request Forgery attacks (SSRF).
    7887 *
    7988 * @since 3.6.0
     
    8190 * @see wp_remote_request() For more information on the response array format.
    8291 * @see WP_Http::request() For default arguments information.
     92 * @see wp_http_validate_url() For more information about how the URL is validated.
     93 *
     94 * @link https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
    8395 *
    8496 * @param string $url  URL to retrieve.
     
    97109 *
    98110 * This function is ideal when the HTTP request is being made to an arbitrary
    99  * URL. The URL is validated to avoid redirection and request forgery attacks.
     111 * URL. The URL, and every URL it redirects to, are validated with wp_http_validate_url()
     112 * to avoid Server Side Request Forgery attacks (SSRF).
    100113 *
    101114 * @since 3.6.0
     
    103116 * @see wp_remote_request() For more information on the response array format.
    104117 * @see WP_Http::request() For default arguments information.
     118 * @see wp_http_validate_url() For more information about how the URL is validated.
     119 *
     120 * @link https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
    105121 *
    106122 * @param string $url  URL to retrieve.
     
    521537/**
    522538 * Validate a URL for safe use in the HTTP API.
     539 *
     540 * Examples of URLs that are considered unsafe:
     541 *
     542 * - ftp://example.com/caniload.php (Invalid protocol - Only http and https are allowed)
     543 * - http:///example.com/caniload.php (Malformed URL)
     544 * - http://user:pass@example.com/caniload.php (Login information)
     545 * - http://exampleeeee.com/caniload.php (Invalid hostname, as the IP cannot be looked up in DNS)
     546 *
     547 * Examples of URLS that are considered unsafe by default:
     548 *
     549 * - http://192.168.0.1/caniload.php (IPs from LAN networks. This can be changed with the Wordpress filter http_request_host_is_external)
     550 * - http://198.143.164.252:81/caniload.php (By default, only 80, 443 and 8080 are allowed. This can be changed with the Wordpress filter http_allowed_safe_ports)
    523551 *
    524552 * @since 3.5.2
Note: See TracChangeset for help on using the changeset viewer.