WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#24201 closed defect (bug) (fixed)

Error in RegEx for proxy excluded URL in function send_through_proxy

Reported by: erich1978 Owned by: dd32
Milestone: 3.7 Priority: normal
Severity: normal Version: 3.1
Component: HTTP API Keywords:
Focuses: Cc:

Description (last modified by SergeyBiryukov)

Dear WordPress Team,

I've detected a bug in the function send_through_proxy in the class WP_HTTP_Proxy. The coded regex for wildcarded domains only works for subdomains containing characters (a-zA-Z0-9) and . (dot) but not for subdomains containing characters (a-zA-Z0-9) and - (dash).

File: wp-includes/class-http.php around line 1411

Example:

define(WP_PROXY_BYPASS_HOSTS, '*.example.com');

foo.bar.example.com will not use proxy. foo-bar.example.com will use proxy.

POSSIBLE SOLUTION: Change the line 1411 from

     $wildcard_regex[] = str_replace('\*', '[\w.]+?', preg_quote($host, '/'));

to

     $wildcard_regex[] = str_replace('\*', '[\w.-]+?', preg_quote($host, '/'));

Yours, Erich Lerch

Change History (5)

#1 @SergeyBiryukov
5 years ago

  • Description modified (diff)
  • Version changed from 3.5.1 to 3.1

Related: [15911]

#2 @dd32
5 years ago

  • Owner set to dd32
  • Resolution set to fixed
  • Status changed from new to closed

In 25149:

WP_HTTP: More relaxed host matching for WP_PROXY_BYPASS_HOSTS and WP_ACCESSIBLE_HOSTS, allowing for subdomains in wildcards to include dashes (and anything else which [\w.] didn't catch). Fixes #24201

#3 @dd32
5 years ago

  • Milestone changed from Awaiting Review to 3.7

#4 @nacin
5 years ago

The change to .+ seems like it would also allow for some.subdomain.example.com to be whitelisted for *.example.com. If intended, that's all good, just checking.

#5 @dd32
5 years ago

The change to .+ seems like it would also allow for some.subdomain.example.com to be whitelisted for *.example.com. If intended, that's all good, just checking.

Yes, that was already possible, since it was [\w.]+, The only change in behaviour is that now non-words (\W) are allowed in subdomains. I can't think of any failures here, but we might need to change it to a larger ASCII whitelist if there are any bad characters which can trick our string functions, etc.

Note: See TracTickets for help on using tickets.