Make WordPress Core

Opened 10 years ago

Last modified 6 years ago

#26247 new defect (bug)

Importer fails when importing from a server on a private network

Reported by: dramaley's profile dramaley Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Import Keywords: needs-patch
Focuses: Cc:


WordPress import (using the wordpress-importer plugin) does not work correctly if both machines are on the same private network. Text content imports, but all media imports fail. I have traced the problem down to a test that is done in wp-includes/http.php. Though i am not deeply familiar with the WordPress code base, the test seems unnecessary to me, and if it is commented out then the import function will behave as expected.

I have included a patch against WordPress 3.6.1 that demonstrates where the problematic test is and resolves the issue.

Attachments (1)

import-bug.diff (498 bytes) - added by dramaley 10 years ago.
Quick hack to fix importer issue. Mostly to demonstrate where i believe the problem to be.

Download all attachments as: .zip

Change History (6)

10 years ago

Quick hack to fix importer issue. Mostly to demonstrate where i believe the problem to be.

#1 @SergeyBiryukov
10 years ago

  • Milestone changed from Awaiting Review to

#2 @dd32
10 years ago

This is something we may be able to disable in imports, but only if the user is trusted on the site.

The checks are designed to prevent a malicious user accessing a resource which the web server has access to, but the visitor doesn't, by preventing WordPress from retrieving documents from a internal-only resource.
One example, would be a internal blog (firewalled off from the internet) with a public-facing site, if someone had access to the public blog, they could upload a export which referenced an internal-only file, downloading it to the web server and ultimately allowing the attacker to download it.

#3 @chriscct7
9 years ago

  • Keywords needs-patch added

#4 @ocean90
6 years ago

  • Version 3.6.1 deleted

#5 @ocean90
6 years ago

#27364 was marked as a duplicate.

Note: See TracTickets for help on using tickets.