From 9d29f2263a127d1a4c0d1c1156b10e59c44a5867 Mon Sep 17 00:00:00 2001
From: audrasjb <audrasjb@git.wordpress.org>
Date: Tue, 11 Jun 2024 07:09:09 +0000
Subject: [PATCH] Docs: Improve `wp_remote_safe_*` and `wp_http_validate_url`
 docblocks.

Props benjaminpick, audrasjb.
Fixes #61092.



Built from https://develop.svn.wordpress.org/trunk@58384


git-svn-id: http://core.svn.wordpress.org/trunk@57833 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-includes/http.php    | 36 ++++++++++++++++++++++++++++++++----
 wp-includes/version.php |  2 +-
 2 files changed, 33 insertions(+), 5 deletions(-)

diff --git a/wp-includes/http.php b/wp-includes/http.php
index e1738beedf..4232ca1d96 100644
--- a/wp-includes/http.php
+++ b/wp-includes/http.php
@@ -30,13 +30,17 @@ function _wp_http_get_object() {
  * Retrieve the raw response from a safe HTTP request.
  *
  * This function is ideal when the HTTP request is being made to an arbitrary
- * URL. The URL is validated to avoid redirection and request forgery attacks.
+ * URL. The URL, and every URL it redirects to, are validated with wp_http_validate_url()
+ * to avoid Server Side Request Forgery attacks (SSRF).
  *
  * @since 3.6.0
  *
  * @see wp_remote_request() For more information on the response array format.
  * @see WP_Http::request() For default arguments information.
+ * @see wp_http_validate_url() For more information about how the URL is validated.
  *
+ * @link https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
+ * 
  * @param string $url  URL to retrieve.
  * @param array  $args Optional. Request arguments. Default empty array.
  *                     See WP_Http::request() for information on accepted arguments.
@@ -52,12 +56,16 @@ function wp_safe_remote_request( $url, $args = array() ) {
  * Retrieve the raw response from a safe HTTP request using the GET method.
  *
  * This function is ideal when the HTTP request is being made to an arbitrary
- * URL. The URL is validated to avoid redirection and request forgery attacks.
+ * URL. The URL, and every URL it redirects to, are validated with wp_http_validate_url()
+ * to avoid Server Side Request Forgery attacks (SSRF).
  *
  * @since 3.6.0
  *
  * @see wp_remote_request() For more information on the response array format.
  * @see WP_Http::request() For default arguments information.
+ * @see wp_http_validate_url() For more information about how the URL is validated.
+ *
+ * @link https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
  *
  * @param string $url  URL to retrieve.
  * @param array  $args Optional. Request arguments. Default empty array.
@@ -74,12 +82,16 @@ function wp_safe_remote_get( $url, $args = array() ) {
  * Retrieve the raw response from a safe HTTP request using the POST method.
  *
  * This function is ideal when the HTTP request is being made to an arbitrary
- * URL. The URL is validated to avoid redirection and request forgery attacks.
+ * URL. The URL, and every URL it redirects to, are validated with wp_http_validate_url()
+ * to avoid Server Side Request Forgery attacks (SSRF).
  *
  * @since 3.6.0
  *
  * @see wp_remote_request() For more information on the response array format.
  * @see WP_Http::request() For default arguments information.
+ * @see wp_http_validate_url() For more information about how the URL is validated.
+ *
+ * @link https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
  *
  * @param string $url  URL to retrieve.
  * @param array  $args Optional. Request arguments. Default empty array.
@@ -96,12 +108,16 @@ function wp_safe_remote_post( $url, $args = array() ) {
  * Retrieve the raw response from a safe HTTP request using the HEAD method.
  *
  * This function is ideal when the HTTP request is being made to an arbitrary
- * URL. The URL is validated to avoid redirection and request forgery attacks.
+ * URL. The URL, and every URL it redirects to, are validated with wp_http_validate_url()
+ * to avoid Server Side Request Forgery attacks (SSRF).
  *
  * @since 3.6.0
  *
  * @see wp_remote_request() For more information on the response array format.
  * @see WP_Http::request() For default arguments information.
+ * @see wp_http_validate_url() For more information about how the URL is validated.
+ *
+ * @link https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
  *
  * @param string $url  URL to retrieve.
  * @param array  $args Optional. Request arguments. Default empty array.
@@ -521,6 +537,18 @@ function send_origin_headers() {
 /**
  * Validate a URL for safe use in the HTTP API.
  *
+ * Examples of URLs that are considered unsafe:
+ *
+ * - ftp://example.com/caniload.php (Invalid protocol - Only http and https are allowed)
+ * - http:///example.com/caniload.php (Malformed URL)
+ * - http://user:pass@example.com/caniload.php (Login information)
+ * - http://exampleeeee.com/caniload.php (Invalid hostname, as the IP cannot be looked up in DNS)
+ *
+ * Examples of URLS that are considered unsafe by default:
+ *
+ * - http://192.168.0.1/caniload.php (IPs from LAN networks. This can be changed with the Wordpress filter http_request_host_is_external)
+ * - http://198.143.164.252:81/caniload.php (By default, only 80, 443 and 8080 are allowed. This can be changed with the Wordpress filter http_allowed_safe_ports)
+ *
  * @since 3.5.2
  *
  * @param string $url Request URL.
diff --git a/wp-includes/version.php b/wp-includes/version.php
index d6c10baad5..46479ba1c6 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -16,7 +16,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '6.6-beta1-58383';
+$wp_version = '6.6-beta1-58384';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.