Make WordPress Core

Opened 11 years ago

Closed 11 years ago

Last modified 11 years ago

#24182 closed defect (bug) (fixed)

WP_Http_Fsockopen fails when requesting an IP based URL with an explicit Host header

Reported by: friedcell's profile friedcell Owned by: dd32's profile dd32
Milestone: 3.7 Priority: normal
Severity: normal Version: 2.7
Component: HTTP API Keywords: needs-patch
Focuses: Cc:

Description (last modified by SergeyBiryukov)

When requesting a resource with a IP based URL and an explicitly set Host header fsockopen fails.


$url =
$args = Array
    [body] => key=xxxxxxxxxxxx&
    [headers] => Array
            [Content-Type] => application/x-www-form-urlencoded; charset=UTF-8
            [Host] =>
            [User-Agent] => WordPress/3.5.1 | Akismet/2.5.7

    [httpversion] => 1.0
    [timeout] => 15

WP_Http_Fsockopen $strHeaders just before fwrite:

POST /1.1/verify-key HTTP/1.0
User-agent: WordPress/3.5.1 | Akismet/2.5.7
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: deflate;q=1.0, compress;q=0.5
Content-Length: 58


The request fails as the first Host header is used.

When $arrURL['host'] is an IP and there is a Host header in $r['headers'], the Host header should not be added from the URL ( so that the explicitly specified Host header is used.

Attachments (1)

24182.diff (794 bytes) - added by dd32 11 years ago.

Download all attachments as: .zip

Change History (9)

#1 @SergeyBiryukov
11 years ago

  • Description modified (diff)

#2 @friedcell
11 years ago

I fixed it locally with

if ( ip2long($arrURL['host']) === false && !is_array($r['headers']) || !array_key_exists("Host", $r['headers'])) {

around the if/else that sets the Host header from $arrURLhost? but I'm not sure that handles all the cases...

#3 @dd32
11 years ago

  • Milestone changed from Awaiting Review to Future Release
  • Version changed from trunk to 2.7

Confirmed that we've got a hard-coded Host header in the fsockopen handler, and appears that it's been like that since it was first introduced.

It's not as simple as skipping adding the Host header when one is specified, because the Proxy support requires us to alter it.

#4 @dd32
11 years ago

  • Keywords needs-patch added

11 years ago

#5 @dd32
11 years ago

  • Keywords has-patch needs-testing added; needs-patch removed

Attachment 24182.diff​ added

Works for me, Have not tested with a proxy server.

Only fsockopen is affected according to the unit tests added in

#6 follow-up: @dd32
11 years ago

  • Keywords needs-patch added; has-patch needs-testing removed
  • Milestone changed from Future Release to 3.7

Ah.. That patch by me will completely ignore the actual hostname/IP we're connecting to in the URL.

As for how to handle Proxies, it turns out that the request would look like this:


#7 @dd32
11 years ago

  • Owner set to dd32
  • Resolution set to fixed
  • Status changed from new to closed

In 24845:

WP_HTTP: Fsockopen: Respect a specified Host header in the Fsockopen WP_HTTP transport. Fixes #24182

#8 in reply to: ↑ 6 @dd32
11 years ago

Replying to dd32:

Ah.. That patch by me will completely ignore the actual hostname/IP we're connecting to in the URL.

Turned out that was wrong, thanks to the $fsockopen_host variable.

Note: See TracTickets for help on using tickets.