Make WordPress Core

Opened 2 years ago

Last modified 6 weeks ago

#26247 new defect (bug)

Importer fails when importing from a server on a private network

Reported by: dramaley Owned by:
Milestone: WordPress.org Priority: normal
Severity: normal Version: 3.6.1
Component: Import Keywords: needs-patch
Focuses: Cc:


WordPress import (using the wordpress-importer plugin) does not work correctly if both machines are on the same private network. Text content imports, but all media imports fail. I have traced the problem down to a test that is done in wp-includes/http.php. Though i am not deeply familiar with the WordPress code base, the test seems unnecessary to me, and if it is commented out then the import function will behave as expected.

I have included a patch against WordPress 3.6.1 that demonstrates where the problematic test is and resolves the issue.

Attachments (1)

import-bug.diff (498 bytes) - added by dramaley 2 years ago.
Quick hack to fix importer issue. Mostly to demonstrate where i believe the problem to be.

Download all attachments as: .zip

Change History (4)

2 years ago

Quick hack to fix importer issue. Mostly to demonstrate where i believe the problem to be.

#1 @SergeyBiryukov
2 years ago

  • Milestone changed from Awaiting Review to WordPress.org

#2 @dd32
2 years ago

This is something we may be able to disable in imports, but only if the user is trusted on the site.

The checks are designed to prevent a malicious user accessing a resource which the web server has access to, but the visitor doesn't, by preventing WordPress from retrieving documents from a internal-only resource.
One example, would be a internal blog (firewalled off from the internet) with a public-facing site, if someone had access to the public blog, they could upload a export which referenced an internal-only file, downloading it to the web server and ultimately allowing the attacker to download it.

#3 @chriscct7
6 weeks ago

  • Keywords needs-patch added
Note: See TracTickets for help on using tickets.