HTTP API: Introduce `'http_allowed_safe_ports'` filter in `wp_http_validate_url()`.
Adds a new filter `'http_allowed_safe_ports'` to control which ports are allowed for remote requests. By default, ports 80, 443, and 8080 are allowed for safe remote requests. Adds tests. Follow-up to [24480]. Props xknown, johnbillion, jorbin, costdev, dd32. Fixes #54331. Built from https://develop.svn.wordpress.org/trunk@52084 git-svn-id: http://core.svn.wordpress.org/trunk@51676 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
parent
d6de0e4498
commit
2f84a45fdf
|
@ -514,6 +514,10 @@ function send_origin_headers() {
|
||||||
* @return string|false URL or false on failure.
|
* @return string|false URL or false on failure.
|
||||||
*/
|
*/
|
||||||
function wp_http_validate_url( $url ) {
|
function wp_http_validate_url( $url ) {
|
||||||
|
if ( ! is_string( $url ) || '' === $url || is_numeric( $url ) ) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
$original_url = $url;
|
$original_url = $url;
|
||||||
$url = wp_kses_bad_protocol( $url, array( 'http', 'https' ) );
|
$url = wp_kses_bad_protocol( $url, array( 'http', 'https' ) );
|
||||||
if ( ! $url || strtolower( $url ) !== strtolower( $original_url ) ) {
|
if ( ! $url || strtolower( $url ) !== strtolower( $original_url ) ) {
|
||||||
|
@ -534,15 +538,10 @@ function wp_http_validate_url( $url ) {
|
||||||
}
|
}
|
||||||
|
|
||||||
$parsed_home = parse_url( get_option( 'home' ) );
|
$parsed_home = parse_url( get_option( 'home' ) );
|
||||||
|
$same_host = isset( $parsed_home['host'] ) && strtolower( $parsed_home['host'] ) === strtolower( $parsed_url['host'] );
|
||||||
if ( isset( $parsed_home['host'] ) ) {
|
$host = trim( $parsed_url['host'], '.' );
|
||||||
$same_host = strtolower( $parsed_home['host'] ) === strtolower( $parsed_url['host'] );
|
|
||||||
} else {
|
|
||||||
$same_host = false;
|
|
||||||
}
|
|
||||||
|
|
||||||
if ( ! $same_host ) {
|
if ( ! $same_host ) {
|
||||||
$host = trim( $parsed_url['host'], '.' );
|
|
||||||
if ( preg_match( '#^(([1-9]?\d|1\d\d|25[0-5]|2[0-4]\d)\.){3}([1-9]?\d|1\d\d|25[0-5]|2[0-4]\d)$#', $host ) ) {
|
if ( preg_match( '#^(([1-9]?\d|1\d\d|25[0-5]|2[0-4]\d)\.){3}([1-9]?\d|1\d\d|25[0-5]|2[0-4]\d)$#', $host ) ) {
|
||||||
$ip = $host;
|
$ip = $host;
|
||||||
} else {
|
} else {
|
||||||
|
@ -581,7 +580,20 @@ function wp_http_validate_url( $url ) {
|
||||||
}
|
}
|
||||||
|
|
||||||
$port = $parsed_url['port'];
|
$port = $parsed_url['port'];
|
||||||
if ( 80 === $port || 443 === $port || 8080 === $port ) {
|
|
||||||
|
/**
|
||||||
|
* Controls the list of ports considered safe in HTTP API.
|
||||||
|
*
|
||||||
|
* Allows to change and allow external requests for the HTTP request.
|
||||||
|
*
|
||||||
|
* @since 5.9.0
|
||||||
|
*
|
||||||
|
* @param array $allowed_ports Array of integers for valid ports.
|
||||||
|
* @param string $host Host name of the requested URL.
|
||||||
|
* @param string $url Requested URL.
|
||||||
|
*/
|
||||||
|
$allowed_ports = apply_filters( 'http_allowed_safe_ports', array( 80, 443, 8080 ), $host, $url );
|
||||||
|
if ( in_array( $port, $allowed_ports, true ) ) {
|
||||||
return $url;
|
return $url;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -16,7 +16,7 @@
|
||||||
*
|
*
|
||||||
* @global string $wp_version
|
* @global string $wp_version
|
||||||
*/
|
*/
|
||||||
$wp_version = '5.9-alpha-52083';
|
$wp_version = '5.9-alpha-52084';
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
|
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
|
||||||
|
|
Loading…
Reference in New Issue