Changeset 58384

Timestamp:

06/11/2024 07:07:35 AM (6 months ago)

Author:

audrasjb

Message:

Docs: Improve wp_remote_safe_* and wp_http_validate_url docblocks.

Props benjaminpick, audrasjb.
Fixes #61092.

File:

• trunk/src/wp-includes/http.php (modified) (9 diffs)

trunk/src/wp-includes/http.php

@@ -31 +31 @@
  *
  * This function is ideal when the HTTP request is being made to an arbitrary
- * URL. The URL is validated to avoid redirection and request forgery attacks.
+ * URL. The URL, and every URL it redirects to, are validated with wp_http_validate_url()
+ * to avoid Server Side Request Forgery attacks (SSRF).
  *
  * @since 3.6.0
@@ -37 +38 @@
  * @see wp_remote_request() For more information on the response array format.
  * @see WP_Http::request() For default arguments information.
- *
+ * @see wp_http_validate_url() For more information about how the URL is validated.
+ *
+ * @link https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
+ * 
  * @param string $url  URL to retrieve.
  * @param array  $args Optional. Request arguments. Default empty array.
@@ -53 +57 @@
  *
  * This function is ideal when the HTTP request is being made to an arbitrary
- * URL. The URL is validated to avoid redirection and request forgery attacks.
+ * URL. The URL, and every URL it redirects to, are validated with wp_http_validate_url()
+ * to avoid Server Side Request Forgery attacks (SSRF).
  *
  * @since 3.6.0
@@ -59 +64 @@
  * @see wp_remote_request() For more information on the response array format.
  * @see WP_Http::request() For default arguments information.
+ * @see wp_http_validate_url() For more information about how the URL is validated.
+ *
+ * @link https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
  *
  * @param string $url  URL to retrieve.
@@ -75 +83 @@
  *
  * This function is ideal when the HTTP request is being made to an arbitrary
- * URL. The URL is validated to avoid redirection and request forgery attacks.
+ * URL. The URL, and every URL it redirects to, are validated with wp_http_validate_url()
+ * to avoid Server Side Request Forgery attacks (SSRF).
  *
  * @since 3.6.0
@@ -81 +90 @@
  * @see wp_remote_request() For more information on the response array format.
  * @see WP_Http::request() For default arguments information.
+ * @see wp_http_validate_url() For more information about how the URL is validated.
+ *
+ * @link https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
  *
  * @param string $url  URL to retrieve.
@@ -97 +109 @@
  *
  * This function is ideal when the HTTP request is being made to an arbitrary
- * URL. The URL is validated to avoid redirection and request forgery attacks.
+ * URL. The URL, and every URL it redirects to, are validated with wp_http_validate_url()
+ * to avoid Server Side Request Forgery attacks (SSRF).
  *
  * @since 3.6.0
@@ -103 +116 @@
  * @see wp_remote_request() For more information on the response array format.
  * @see WP_Http::request() For default arguments information.
+ * @see wp_http_validate_url() For more information about how the URL is validated.
+ *
+ * @link https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
  *
  * @param string $url  URL to retrieve.
@@ -521 +537 @@
 /**
  * Validate a URL for safe use in the HTTP API.
+ *
+ * Examples of URLs that are considered unsafe:
+ *
+ * - ftp://example.com/caniload.php (Invalid protocol - Only http and https are allowed)
+ * - http:///example.com/caniload.php (Malformed URL)
+ * - http://user:pass@example.com/caniload.php (Login information)
+ * - http://exampleeeee.com/caniload.php (Invalid hostname, as the IP cannot be looked up in DNS)
+ *
+ * Examples of URLS that are considered unsafe by default:
+ *
+ * - http://192.168.0.1/caniload.php (IPs from LAN networks. This can be changed with the Wordpress filter http_request_host_is_external)
+ * - http://198.143.164.252:81/caniload.php (By default, only 80, 443 and 8080 are allowed. This can be changed with the Wordpress filter http_allowed_safe_ports)
  *
  * @since 3.5.2