WordPress.org

Make WordPress Core

Opened 12 days ago

Last modified 28 minutes ago

#48509 reopened defect (bug)

Update of WP-core, themes and Plugins fails behind a firewall

Reported by: karlte Owned by:
Milestone: Priority: normal
Severity: major Version: 5.2.4
Component: HTTP API Keywords: needs-patch
Focuses: administration Cc:
PR Number:

Description

Hello to all!

Thank you very much for creating wordpress and giving me the chance to report a bug.
I am working in a governmental organization, which uses a big firewall to protect
themselves agains the attacks from the internet.

The error appeared first in version 5.2.4, in versions before all went well.

I have set the severity to "major", because you can't use any of the update functions
of wordpress behind a firewall anymore.

I found out the following:

In wp-includes/http.php in version 5.2.4 the following changes in function wp_http_validate_url() take part:

<?php


-------------- wp-includes/http.php version 5.2.4 -----------------------------
...
551         if ( ! $same_host ) {
552                 $host = trim( $parsed_url['host'], '.' );
553                 if ( preg_match( '#^(([1-9]?\d|1\d\d|25[0-5]|2[0-4]\d)\.){3}([1-9]?\d|1\d\d|25[0-5]|2[0-4]\d)$#', $host ) ) {
554                         $ip = $host;
555                 } else {
556                         $ip = gethostbyname( $host );
557                         if ( $ip === $host ) { // Error condition for gethostbyname()
                                    ///////////////////////////////////////////////////////
558                                 return false; // <---- This is in version 5.2.4
                                    ///////////////////////////////////////////////////////
559                         }
560                 }
561                 if ( $ip ) {
562                         $parts = array_map( 'intval', explode( '.', $ip ) );
563                         if ( 127 === $parts[0] || 10 === $parts[0] || 0 === $parts[0]
564                                 || ( 172 === $parts[0] && 16 <= $parts[1] && 31 >= $parts[1] )
565                                 || ( 192 === $parts[0] && 168 === $parts[1] )
566                         ) {
...
--------------------------------------------------------------------------------

Since this change updates of wp-core, install and update of plugins and/or themes are not(!!) successful.

In version 5.2.3 all went well and i show you the corresponding lines:

<?php

//-------------- wp-includes/http.php version 5.2.3 ------------------------------
...
551         if ( ! $same_host ) {
552                 $host = trim( $parsed_url['host'], '.' );
553                 if ( preg_match( '#^(([1-9]?\d|1\d\d|25[0-5]|2[0-4]\d)\.){3}([1-9]?\d|1\d\d|25[0-5]|2[0-4]\d)$#', $host ) ) {
554                         $ip = $host;
555                 } else {
556                         $ip = gethostbyname( $host );
557                         if ( $ip === $host ) { // Error condition for gethostbyname()
                                    ////////////////////////////////////////////////               
558                                 $ip = false;  // this works fine behind firewall
                                    ////////////////////////////////////////////////
559                         }
560                 }
561                 if ( $ip ) {
562                         $parts = array_map( 'intval', explode( '.', $ip ) );
563                         if ( 127 === $parts[0] || 10 === $parts[0] || 0 === $parts[0]
564                                 || ( 172 === $parts[0] && 16 <= $parts[1] && 31 >= $parts[1] )
565                                 || ( 192 === $parts[0] && 168 === $parts[1] )
566                         ) {
...
//--------------------------------------------------------------------------------

The reason is the php-function "gethostbyname()", which returns an ip-number to a given host.
Behind a firewall you will find typically no dns-resolving of internet host names. In this
case gethostbyname() does not return an ip-number, it returns the host name. Therefor the
condition in line 557 becomes "true" and the result of wp_http_validate_url() is false.
This produces the error 'A valid URL was not provided.' in public function request in
wp-includes/class-http.php

I hope, that helps you to enhance wordpress. I change the 558 back to version 5.2.3
and wordpress works as good as ever behind a firewall.

Greetings karlte

Change History (4)

#1 @karlte
12 days ago

Same as #48495, but with solution!

#2 @karlte
12 days ago

#48495 was marked as a duplicate.

#3 @SergeyBiryukov
12 days ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Hi there, welcome to WordPress Trac!

Thanks for the report, we're already tracking this issue in #48432.

#4 @karlte
28 minutes ago

  • Resolution duplicate deleted
  • Status changed from closed to reopened

Dear SergeyBiryukov ,

unfortunately the Bug wasn't fixed in WordPress 5.3, therefore i reopend the ticket.

Greetings karlte

Note: See TracTickets for help on using tickets.