#26353 closed defect (bug) (invalid)
wp_safe_remote_*() functions do not appear to work
Reported by: | stefwilliams | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 3.7.1 |
Component: | HTTP API | Keywords: | |
Focuses: | Cc: |
Description (last modified by )
Ticket #24646 mentions using wp_safe_remote_request(), wp_safe_remote_head(), wp_safe_remote_get(), wp_safe_remote_post() in order to allow local domains as RSS feeds in the admin dash panel. This is in preference to using 'allow_unsafe_urls', but passing a URL into these functions does not seem to work. Unless I'm missing something obvious?
Change History (7)
#2
@
11 years ago
The wp_safe_* HTTP methods CAN'T be used to access local-to-server networks, that's their entire purpose, to protect code from making potentially unsafe requests to user-supplied url's (user supplied being site visitors too) that could reveal sensitive data that a user wouldnt otherwise have access to.
The best way to allow WordPress to access a local resource is to use the http_request_host_is_external
filter, for example:
add_filter( 'http_request_host_is_external', 'allow_server_mydomain', 10, 3 ); function allow_server_mydomain( $allowed, $hostname, $url ) { if ( 'server.mydomain' == $hostname ) // IP resolves to something like 10.1.2.3 return true; // Treat this server as being NOT internal network else return $allowed; }
#3
@
11 years ago
@TobiasBg:
As far as I can tell, the parameters it takes are a URL (presumably of the site that you want to mark as 'safe'). I have tried passing this with and without the protocol and with and without the directory names.
No matter what I try, my custom RSS widget in the admin dashboard still says:
RSS Error: WP HTTP Error: A valid URL was not provided.
It is definitely a valid URL that I am passing in...
The functions also allow $args to be passed in, the default being
$argsreject_unsafe_urls? = true;
But changing this to false does not work either.
All I'm trying to do is pass an RSS feed from a site on the same multisite install into the admin dash panel...
@dd32:
Your answer came while I was writing this. In ticket 24646, it seems to suggest that wp_safe_remote_* IS for this purpose, as opposed to wp_remote_*(), which block access...?
#4
@
11 years ago
@stefwilliams: wp_safe_remote_*
functions simply set $args['reject_unsafe_urls'] = true;
and pass the request on to wp_remote_*
, so you're reading #24646 wrong, or something was explained badly.
If your URL's are being rejected by wp_remote_*()
, that's an entirely different issue. Can you provide a example of the URL you're passing?
#5
@
11 years ago
@dd32:
Isn't $args['reject_unsafe_urls'] = true;
set as a default anyway? Perhaps I did misread that thread.
Anyway, all I needed to know though is how to mark a local feed as 'safe' - and whaddayaknow - the filter you suggested above seems to have done the job.
Apologies for the confusion. This call can be closed/deleted/forgotten :)
What does "does not seem to work" mean for you? Can you please be more specific and provide more details about the parameters that you passed to the functions, the expected and the actual return values?