From 1e0faa77d367124417e4ad7b5a5676e8edbdec94 Mon Sep 17 00:00:00 2001 From: Andrew Nacin Date: Thu, 20 Nov 2014 14:03:08 +0000 Subject: [PATCH] Better validation of the URL used in core HTTP requests. Merges [30443] to the 3.7 branch. Built from https://develop.svn.wordpress.org/branches/3.7@30447 git-svn-id: http://core.svn.wordpress.org/branches/3.7@30442 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/http.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/wp-includes/http.php b/wp-includes/http.php index e30fa41ade..4c1a147760 100644 --- a/wp-includes/http.php +++ b/wp-includes/http.php @@ -451,8 +451,9 @@ function send_origin_headers() { * @return mixed URL or false on failure. */ function wp_http_validate_url( $url ) { + $original_url = $url; $url = wp_kses_bad_protocol( $url, array( 'http', 'https' ) ); - if ( ! $url ) + if ( ! $url || strtolower( $url ) !== strtolower( $original_url ) ) return false; $parsed_url = @parse_url( $url ); @@ -462,7 +463,7 @@ function wp_http_validate_url( $url ) { if ( isset( $parsed_url['user'] ) || isset( $parsed_url['pass'] ) ) return false; - if ( false !== strpos( $parsed_url['host'], ':' ) ) + if ( false !== strpbrk( $parsed_url['host'], ':#?[]' ) ) return false; $parsed_home = @parse_url( get_option( 'home' ) ); @@ -480,8 +481,7 @@ function wp_http_validate_url( $url ) { } if ( $ip ) { $parts = array_map( 'intval', explode( '.', $ip ) ); - if ( '127.0.0.1' === $ip - || ( 10 === $parts[0] ) + if ( 127 === $parts[0] || 10 === $parts[0] || ( 172 === $parts[0] && 16 <= $parts[1] && 31 >= $parts[1] ) || ( 192 === $parts[0] && 168 === $parts[1] ) ) {