WordPress-C
/
WordPress
mirror of https://github.com/WordPress/WordPress.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Docs: Improve `wp_remote_safe_*` and `wp_http_validate_url` docblocks. 

Props benjaminpick, audrasjb.
Fixes #61092.



Built from https://develop.svn.wordpress.org/trunk@58384


git-svn-id: http://core.svn.wordpress.org/trunk@57833 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
audrasjb 2024-06-11 07:09:09 +00:00
parent 8faf5b618a
commit 9d29f2263a
2 changed files with 33 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
wp-includes/http.php
View File

@ -30,13 +30,17 @@ function _wp_http_get_object() {
* Retrieve the raw response from a safe HTTP request. * Retrieve the raw response from a safe HTTP request.
* *
* This function is ideal when the HTTP request is being made to an arbitrary * This function is ideal when the HTTP request is being made to an arbitrary
* URL. The URL is validated to avoid redirection and request forgery attacks. * URL. The URL, and every URL it redirects to, are validated with wp_http_validate_url()
* to avoid Server Side Request Forgery attacks (SSRF).
* *
* @since 3.6.0 * @since 3.6.0
* *
* @see wp_remote_request() For more information on the response array format. * @see wp_remote_request() For more information on the response array format.
* @see WP_Http::request() For default arguments information. * @see WP_Http::request() For default arguments information.
* @see wp_http_validate_url() For more information about how the URL is validated.
* *
* @link https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
*
* @param string $url URL to retrieve. * @param string $url URL to retrieve.
* @param array $args Optional. Request arguments. Default empty array. * @param array $args Optional. Request arguments. Default empty array.
* See WP_Http::request() for information on accepted arguments. * See WP_Http::request() for information on accepted arguments.
@ -52,12 +56,16 @@ function wp_safe_remote_request( $url, $args = array() ) {
* Retrieve the raw response from a safe HTTP request using the GET method. * Retrieve the raw response from a safe HTTP request using the GET method.
* *
* This function is ideal when the HTTP request is being made to an arbitrary * This function is ideal when the HTTP request is being made to an arbitrary
* URL. The URL is validated to avoid redirection and request forgery attacks. * URL. The URL, and every URL it redirects to, are validated with wp_http_validate_url()
* to avoid Server Side Request Forgery attacks (SSRF).
* *
* @since 3.6.0 * @since 3.6.0
* *
* @see wp_remote_request() For more information on the response array format. * @see wp_remote_request() For more information on the response array format.
* @see WP_Http::request() For default arguments information. * @see WP_Http::request() For default arguments information.
* @see wp_http_validate_url() For more information about how the URL is validated.
*
* @link https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
* *
* @param string $url URL to retrieve. * @param string $url URL to retrieve.
* @param array $args Optional. Request arguments. Default empty array. * @param array $args Optional. Request arguments. Default empty array.
@ -74,12 +82,16 @@ function wp_safe_remote_get( $url, $args = array() ) {
* Retrieve the raw response from a safe HTTP request using the POST method. * Retrieve the raw response from a safe HTTP request using the POST method.
* *
* This function is ideal when the HTTP request is being made to an arbitrary * This function is ideal when the HTTP request is being made to an arbitrary
* URL. The URL is validated to avoid redirection and request forgery attacks. * URL. The URL, and every URL it redirects to, are validated with wp_http_validate_url()
* to avoid Server Side Request Forgery attacks (SSRF).
* *
* @since 3.6.0 * @since 3.6.0
* *
* @see wp_remote_request() For more information on the response array format. * @see wp_remote_request() For more information on the response array format.
* @see WP_Http::request() For default arguments information. * @see WP_Http::request() For default arguments information.
* @see wp_http_validate_url() For more information about how the URL is validated.
*
* @link https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
* *
* @param string $url URL to retrieve. * @param string $url URL to retrieve.
* @param array $args Optional. Request arguments. Default empty array. * @param array $args Optional. Request arguments. Default empty array.
@ -96,12 +108,16 @@ function wp_safe_remote_post( $url, $args = array() ) {
* Retrieve the raw response from a safe HTTP request using the HEAD method. * Retrieve the raw response from a safe HTTP request using the HEAD method.
* *
* This function is ideal when the HTTP request is being made to an arbitrary * This function is ideal when the HTTP request is being made to an arbitrary
* URL. The URL is validated to avoid redirection and request forgery attacks. * URL. The URL, and every URL it redirects to, are validated with wp_http_validate_url()
* to avoid Server Side Request Forgery attacks (SSRF).
* *
* @since 3.6.0 * @since 3.6.0
* *
* @see wp_remote_request() For more information on the response array format. * @see wp_remote_request() For more information on the response array format.
* @see WP_Http::request() For default arguments information. * @see WP_Http::request() For default arguments information.
* @see wp_http_validate_url() For more information about how the URL is validated.
*
* @link https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
* *
* @param string $url URL to retrieve. * @param string $url URL to retrieve.
* @param array $args Optional. Request arguments. Default empty array. * @param array $args Optional. Request arguments. Default empty array.
@ -521,6 +537,18 @@ function send_origin_headers() {
/** /**
* Validate a URL for safe use in the HTTP API. * Validate a URL for safe use in the HTTP API.
* *
* Examples of URLs that are considered unsafe:
*
* - ftp://example.com/caniload.php (Invalid protocol - Only http and https are allowed)
* - http:///example.com/caniload.php (Malformed URL)
* - http://user:pass@example.com/caniload.php (Login information)
* - http://exampleeeee.com/caniload.php (Invalid hostname, as the IP cannot be looked up in DNS)
*
* Examples of URLS that are considered unsafe by default:
*
* - http://192.168.0.1/caniload.php (IPs from LAN networks. This can be changed with the Wordpress filter http_request_host_is_external)
* - http://198.143.164.252:81/caniload.php (By default, only 80, 443 and 8080 are allowed. This can be changed with the Wordpress filter http_allowed_safe_ports)
*
* @since 3.5.2 * @since 3.5.2
* *
* @param string $url Request URL. * @param string $url Request URL.

2
wp-includes/version.php
View File

@ -16,7 +16,7 @@
* *
* @global string $wp_version * @global string $wp_version
*/ */
$wp_version = '6.6-beta1-58383'; $wp_version = '6.6-beta1-58384';
/** /**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema. * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.