From 82e9c40482e27cd5e4011cdbf6347420cffbf04e Mon Sep 17 00:00:00 2001 From: Andrew Nacin Date: Tue, 22 Jan 2013 22:30:08 +0000 Subject: [PATCH] Validate pingback source URIs. Less verbose errors. git-svn-id: http://core.svn.wordpress.org/trunk@23329 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/class-wp-xmlrpc-server.php | 34 ++++++----- wp-includes/comment.php | 80 ++++++++++++++++++++++++++ wp-includes/default-filters.php | 2 + 3 files changed, 103 insertions(+), 13 deletions(-) diff --git a/wp-includes/class-wp-xmlrpc-server.php b/wp-includes/class-wp-xmlrpc-server.php index ac758e4c1b..a0827cac41 100644 --- a/wp-includes/class-wp-xmlrpc-server.php +++ b/wp-includes/class-wp-xmlrpc-server.php @@ -5309,10 +5309,14 @@ class wp_xmlrpc_server extends IXR_Server { $pagelinkedto = str_replace('&', '&', $pagelinkedto); $pagelinkedto = str_replace('&', '&', $pagelinkedto); + $pagelinkedfrom = apply_filters( 'pingback_ping_source_uri', $pagelinkedfrom, $pagelinkedto ); + if ( ! $pagelinkedfrom ) + return $this->pingback_error( 0, __( 'A valid URL was not provided.' ) ); + // Check if the page linked to is in our site $pos1 = strpos($pagelinkedto, str_replace(array('http://www.','http://','https://www.','https://'), '', get_option('home'))); if ( !$pos1 ) - return new IXR_Error(0, __('Is there no link to us?')); + return $this->pingback_error( 0, __( 'Is there no link to us?' ) ); // let's find which post is linked to // FIXME: does url_to_postid() cover all these cases already? @@ -5346,39 +5350,39 @@ class wp_xmlrpc_server extends IXR_Server { $sql = $wpdb->prepare("SELECT ID FROM $wpdb->posts WHERE post_title RLIKE %s", like_escape( $title ) ); if (! ($post_ID = $wpdb->get_var($sql)) ) { // returning unknown error '0' is better than die()ing - return new IXR_Error(0, ''); + return $this->pingback_error( 0, '' ); } $way = 'from the fragment (title)'; } } else { // TODO: Attempt to extract a post ID from the given URL - return new IXR_Error(33, __('The specified target URL cannot be used as a target. It either doesn’t exist, or it is not a pingback-enabled resource.')); + return $this->pingback_error( 33, __('The specified target URL cannot be used as a target. It either doesn’t exist, or it is not a pingback-enabled resource.' ) ); } $post_ID = (int) $post_ID; $post = get_post($post_ID); if ( !$post ) // Post_ID not found - return new IXR_Error(33, __('The specified target URL cannot be used as a target. It either doesn’t exist, or it is not a pingback-enabled resource.')); + return $this->pingback_error( 33, __( 'The specified target URL cannot be used as a target. It either doesn’t exist, or it is not a pingback-enabled resource.' ) ); if ( $post_ID == url_to_postid($pagelinkedfrom) ) - return new IXR_Error(0, __('The source URL and the target URL cannot both point to the same resource.')); + return $this->pingback_error( 0, __( 'The source URL and the target URL cannot both point to the same resource.' ) ); // Check if pings are on if ( !pings_open($post) ) - return new IXR_Error(33, __('The specified target URL cannot be used as a target. It either doesn’t exist, or it is not a pingback-enabled resource.')); + return $this->pingback_error( 33, __( 'The specified target URL cannot be used as a target. It either doesn’t exist, or it is not a pingback-enabled resource.' ) ); // Let's check that the remote site didn't already pingback this entry if ( $wpdb->get_results( $wpdb->prepare("SELECT * FROM $wpdb->comments WHERE comment_post_ID = %d AND comment_author_url = %s", $post_ID, $pagelinkedfrom) ) ) - return new IXR_Error( 48, __( 'The pingback has already been registered.' ) ); + return $this->pingback_error( 48, __( 'The pingback has already been registered.' ) ); // very stupid, but gives time to the 'from' server to publish ! sleep(1); // Let's check the remote site - $linea = wp_remote_fopen( $pagelinkedfrom ); + $linea = wp_remote_retrieve_body( wp_remote_get( $pagelinkedfrom, array( 'timeout' => 10, 'redirection' => 0 ) ) ); if ( !$linea ) - return new IXR_Error(16, __('The source URL does not exist.')); + return $this->pingback_error( 16, __( 'The source URL does not exist.' ) ); $linea = apply_filters('pre_remote_source', $linea, $pagelinkedto); @@ -5390,7 +5394,7 @@ class wp_xmlrpc_server extends IXR_Server { preg_match('|([^<]*?)|is', $linea, $matchtitle); $title = $matchtitle[1]; if ( empty( $title ) ) - return new IXR_Error(32, __('We cannot find a title on that page.')); + return $this->pingback_error( 32, __('We cannot find a title on that page.' ) ); $linea = strip_tags( $linea, '' ); // just keep the tag we need @@ -5426,7 +5430,7 @@ class wp_xmlrpc_server extends IXR_Server { } if ( empty($context) ) // Link to target not found - return new IXR_Error(17, __('The source URL does not contain a link to the target URL, and so cannot be used as a source.')); + return $this->pingback_error( 17, __( 'The source URL does not contain a link to the target URL, and so cannot be used as a source.' ) ); $pagelinkedfrom = str_replace('&', '&', $pagelinkedfrom); @@ -5473,14 +5477,14 @@ class wp_xmlrpc_server extends IXR_Server { $post_ID = url_to_postid($url); if ( !$post_ID ) { // We aren't sure that the resource is available and/or pingback enabled - return new IXR_Error(33, __('The specified target URL cannot be used as a target. It either doesn’t exist, or it is not a pingback-enabled resource.')); + return $this->pingback_error( 33, __( 'The specified target URL cannot be used as a target. It either doesn’t exist, or it is not a pingback-enabled resource.' ) ); } $actual_post = get_post($post_ID, ARRAY_A); if ( !$actual_post ) { // No such post = resource not found - return new IXR_Error(32, __('The specified target URL does not exist.')); + return $this->pingback_error( 32, __('The specified target URL does not exist.' ) ); } $comments = $wpdb->get_results( $wpdb->prepare("SELECT comment_author_url, comment_content, comment_author_IP, comment_type FROM $wpdb->comments WHERE comment_post_ID = %d", $post_ID) ); @@ -5496,4 +5500,8 @@ class wp_xmlrpc_server extends IXR_Server { return $pingbacks; } + + protected function pingback_error( $code, $message ) { + return apply_filters( 'xmlrpc_pingback_error', new IXR_Error( $code, $message ) ); + } } diff --git a/wp-includes/comment.php b/wp-includes/comment.php index 966e76529f..14ca1dfed4 100644 --- a/wp-includes/comment.php +++ b/wp-includes/comment.php @@ -1953,6 +1953,86 @@ function weblog_ping($server = '', $path = '') { $client->query('weblogUpdates.ping', get_option('blogname'), $home); } +/** + * Default filter attached to pingback_ping_source_uri to validate the pingback's Source URI + * + * @since 3.5.1 + * + * @param string $source_uri + * @return string + */ +function pingback_ping_source_uri( $source_uri ) { + $uri = esc_url_raw( $source_uri, array( 'http', 'https' ) ); + if ( ! $uri ) + return ''; + + $parsed_url = @parse_url( $uri ); + if ( ! $parsed_url ) + return ''; + + if ( isset( $parsed_url['user'] ) || isset( $parsed_url['pass'] ) ) + return ''; + + if ( false !== strpos( $parsed_url['host'], ':' ) ) + return ''; + + $parsed_home = @parse_url( get_option( 'home' ) ); + + $same_host = strtolower( $parsed_home['host'] ) === strtolower( $parsed_url['host'] ); + + if ( ! $same_host ) { + $host = trim( $parsed_url['host'], '.' ); + if ( preg_match( '#^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$#', $host ) ) { + $ip = $host; + } else { + $ip = gethostbyname( $host ); + if ( $ip === $host ) // Error condition for gethostbyname() + $ip = false; + } + if ( $ip ) { + if ( '127.0.0.1' === $ip ) + return ''; + $parts = array_map( 'intval', explode( '.', $ip ) ); + if ( 10 === $parts[0] ) + return ''; + if ( 172 === $parts[0] && 16 <= $parts[1] && 31 >= $parts[1] ) + return ''; + if ( 192 === $parts[0] && 168 === $parts[1] ) + return ''; + } + } + + if ( empty( $parsed_url['port'] ) ) + return $uri; + + $port = $parsed_url['port']; + if ( 80 === $port || 443 === $port || 8080 === $port ) + return $uri; + + if ( $parsed_home && $same_host && $parsed_home['port'] === $port ) + return $uri; + + return ''; +} + +/** + * Default filter attached to xmlrpc_pingback_error. + * + * Returns a generic pingback error code unless the error code is 48, + * which reports that the pingback is already registered. + * + * @since 3.5.1 + * @link http://www.hixie.ch/specs/pingback/pingback#TOC3 + * + * @param IXR_Error $ixr_error + * @return IXR_Error + */ +function xmlrpc_pingback_error( $ixr_error ) { + if ( $ixr_error->code === 48 ) + return $ixr_error; + return new IXR_Error( 0, '' ); +} + // // Cache // diff --git a/wp-includes/default-filters.php b/wp-includes/default-filters.php index 19fdd502ec..cc6e07fa97 100644 --- a/wp-includes/default-filters.php +++ b/wp-includes/default-filters.php @@ -192,6 +192,8 @@ add_filter( 'pings_open', '_close_comments_for_old_post', 10, 2 ); add_filter( 'editable_slug', 'urldecode' ); add_filter( 'editable_slug', 'esc_textarea' ); add_filter( 'nav_menu_meta_box_object', '_wp_nav_menu_meta_box_object' ); +add_filter( 'pingback_ping_source_uri', 'pingback_ping_source_uri' ); +add_filter( 'xmlrpc_pingback_error', 'xmlrpc_pingback_error' ); // Actions add_action( 'wp_head', 'wp_enqueue_scripts', 1 );