Index: wp-includes/functions.php =================================================================== --- wp-includes/functions.php (revision 5775) +++ wp-includes/functions.php (working copy) @@ -661,8 +661,44 @@ return $array; } +function wp_limited_curl($url) { + /* This function is a wrapper for curl + * that limits the amount of data we + * fetch from a URI to avoid DOS problems + * with wp_remote_fopen() + */ + + $ch = curl_init($url); + global $total; + global $output; + $total = 0; + $output = ""; + + function read_body($ch, $string) { + $length = strlen($string); + global $total; + global $output; + $total += $length; + $output .= $string; + if ($total > 30720) return -1; + return $length; + } + + curl_setopt($ch, CURLOPT_WRITEFUNCTION, 'read_body'); + curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 1); + curl_setopt($ch, CURLOPT_TIMEOUT, 10); + curl_exec($ch); + curl_close($ch); + + return $output; +} + function wp_remote_fopen( $uri ) { - $timeout = 10; + $bytes_limit = 30720; /* limit on size of source documen bytes, see + * Errata for pingback specification. + * http://www.hixie.ch/specs/pingback/pingback + */ + $timeout = 10; $parsed_url = @parse_url($uri); if ( !$parsed_url || !is_array($parsed_url) ) @@ -678,19 +714,14 @@ //stream_set_timeout($fp, $timeout); // Requires php 4.3 $linea = ''; - while( $remote_read = fread($fp, 4096) ) + $bytes = 0; + while( $remote_read = fread($fp, 4096) && $bytes < $bytes_limit ) + $bytes = $bytes + 4096; $linea .= $remote_read; fclose($fp); return $linea; } else if ( function_exists('curl_init') ) { - $handle = curl_init(); - curl_setopt ($handle, CURLOPT_URL, $uri); - curl_setopt ($handle, CURLOPT_CONNECTTIMEOUT, 1); - curl_setopt ($handle, CURLOPT_RETURNTRANSFER, 1); - curl_setopt ($handle, CURLOPT_TIMEOUT, $timeout); - $buffer = curl_exec($handle); - curl_close($handle); - return $buffer; + return wp_limited_curl($uri); } else { return false; }