Opened 6 weeks ago
Last modified 5 weeks ago
#64170 new defect (bug)
gethostbyname() in validating URLs does not work for IPv6
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Future Release | Priority: | normal |
| Severity: | normal | Version: | 6.8.3 |
| Component: | HTTP API | Keywords: | has-patch has-unit-tests |
| Focuses: | Cc: |
Description
Summary:
wp_http_validate_url() rejects valid URLs when the hostname resolves to IPv6-only addresses, because gethostbyname() only supports IPv4. I discovered this with a custom plugin repository in a IPv6 only network (so the DNS only has a AAAA record when it validates the URL provided to fetch the plugin package).
Expected behavior:
URLs with hostnames that resolve to IPv6 addresses should be validated successfully.
Actual behavior:
When a hostname resolves only to IPv6, gethostbyname() returns the hostname unchanged, which the function treats as a DNS lookup failure and rejects the URL.
How to reproduce:
Create a hostname that resolves only to IPv6 (AAAA record, no A record)
Try to use that URL in any WordPress HTTP API call with default settings
The URL will be rejected with "A valid URL was not provided"
Suggested fix:
Replace gethostbyname() with dns_get_record() or similar that supports both IPv4 and IPv6 (or use getaddrinfo() via a PHP extension.
Workaround:
Set reject_unsafe_urls to false in http_request_args filter for affected URLs.
Change History (2)
#1
@
6 weeks ago
- Component changed from Plugins to HTTP API
- Keywords needs-patch added
- Milestone changed from Awaiting Review to Future Release
This ticket was mentioned in PR #10444 on WordPress/wordpress-develop by JezerM.
5 weeks ago
#2
- Keywords has-patch has-unit-tests added; needs-patch removed
This PR implements a function for getting the IP for a hostname, similar to
gethostbynamebut also working for IPv6. So, hosts likeipv6.google.comwould be valid URLs and the hostname would be correctly obtained.Trac ticket: https://core.trac.wordpress.org/ticket/64170