Opened 3 years ago
Closed 3 years ago
#54527 closed defect (bug) (reported-upstream)
missing self-URL check in RSS block
Reported by: | anonymized_17880307 | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | |
Component: | Editor | Keywords: | |
Focuses: | Cc: |
Description
At https://github.com/WordPress/WordPress/blob/5.8.2/wp-includes/widgets/class-wp-widget-rss.php#L48-L64 there is a check to prevent that the home / site_url URL is accidentally used as RSS feed URL as this can lead to interesting cases like infinite loops, many long-running http requests and some sort of "Self" Denial of Service (DoS).
In WordPress 5.8.2 when we edit block-enabled them and add the RSS widget and use the same URL like home / site_url, then we get the mentioned problems because the check is missing there:
https://github.com/WordPress/WordPress/blob/5.8.2/wp-includes/blocks/rss.php#L16
Change History (4)
#3
in reply to:
↑ 2
@
3 years ago
Replying to SergeyBiryukov:
Hi there, welcome back to WordPress Trac! Thanks for the report.
Moving this to the Editor component for more visibility, as it seems to be more related to the RSS block than the RSS widget.
Also noting that this needs to be fixed in the block-library package upstream and then backported to core. Could you create an issue or PR at https://github.com/WordPress/gutenberg? Thanks!
Done, you can find the issue at https://github.com/WordPress/gutenberg/issues/36969
Hi there, welcome back to WordPress Trac! Thanks for the report.
Moving this to the Editor component for more visibility, as it seems to be more related to the RSS block than the RSS widget.
Also noting that this needs to be fixed in the block-library package upstream and then backported to core. Could you create an issue or PR at https://github.com/WordPress/gutenberg? Thanks!