Make WordPress Core

Opened 10 years ago

Closed 10 years ago

Last modified 10 years ago

#26353 closed defect (bug) (invalid)

wp_safe_remote_*() functions do not appear to work

Reported by: stefwilliams's profile stefwilliams Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.7.1
Component: HTTP API Keywords:
Focuses: Cc:

Description (last modified by SergeyBiryukov)

Ticket #24646 mentions using wp_safe_remote_request(), wp_safe_remote_head(), wp_safe_remote_get(), wp_safe_remote_post() in order to allow local domains as RSS feeds in the admin dash panel. This is in preference to using 'allow_unsafe_urls', but passing a URL into these functions does not seem to work. Unless I'm missing something obvious?

Change History (7)

#1 @TobiasBg
10 years ago

  • Keywords reporter-feedback added

What does "does not seem to work" mean for you? Can you please be more specific and provide more details about the parameters that you passed to the functions, the expected and the actual return values?

#2 @dd32
10 years ago

The wp_safe_* HTTP methods CAN'T be used to access local-to-server networks, that's their entire purpose, to protect code from making potentially unsafe requests to user-supplied url's (user supplied being site visitors too) that could reveal sensitive data that a user wouldnt otherwise have access to.

The best way to allow WordPress to access a local resource is to use the http_request_host_is_external filter, for example:

add_filter( 'http_request_host_is_external', 'allow_server_mydomain', 10, 3 );
function allow_server_mydomain( $allowed, $hostname, $url ) {
   if ( 'server.mydomain' == $hostname ) // IP resolves to something like
      return true; // Treat this server as being NOT internal network
     return $allowed;

#3 @stefwilliams
10 years ago

As far as I can tell, the parameters it takes are a URL (presumably of the site that you want to mark as 'safe'). I have tried passing this with and without the protocol and with and without the directory names.
No matter what I try, my custom RSS widget in the admin dashboard still says:
RSS Error: WP HTTP Error: A valid URL was not provided.
It is definitely a valid URL that I am passing in...
The functions also allow $args to be passed in, the default being
$args['reject_unsafe_urls'] = true;
But changing this to false does not work either.
All I'm trying to do is pass an RSS feed from a site on the same multisite install into the admin dash panel...

Your answer came while I was writing this. In ticket #24646, it seems to suggest that wp_safe_remote_* IS for this purpose, as opposed to wp_remote_*(), which block access...?

Last edited 10 years ago by SergeyBiryukov (previous) (diff)

#4 @dd32
10 years ago

@stefwilliams: wp_safe_remote_* functions simply set $args['reject_unsafe_urls'] = true; and pass the request on to wp_remote_*, so you're reading #24646 wrong, or something was explained badly.

If your URL's are being rejected by wp_remote_*(), that's an entirely different issue. Can you provide a example of the URL you're passing?

#5 @stefwilliams
10 years ago


Isn't $args['reject_unsafe_urls'] = true; set as a default anyway? Perhaps I did misread that thread.

Anyway, all I needed to know though is how to mark a local feed as 'safe' - and whaddayaknow - the filter you suggested above seems to have done the job.

Apologies for the confusion. This call can be closed/deleted/forgotten :)

#6 @dd32
10 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

#7 @SergeyBiryukov
10 years ago

  • Component changed from General to HTTP
  • Description modified (diff)
  • Keywords reporter-feedback removed
Note: See TracTickets for help on using tickets.