From a6103b30f56f1ab3498a6866ac6c0d16d35c1e88 Mon Sep 17 00:00:00 2001 From: Andrew Nacin Date: Thu, 20 Nov 2014 14:01:23 +0000 Subject: [PATCH] Better validation of the URL used in core HTTP requests. Built from https://develop.svn.wordpress.org/trunk@30443 git-svn-id: http://core.svn.wordpress.org/trunk@30438 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/http.php | 8 ++++---- wp-includes/version.php | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/wp-includes/http.php b/wp-includes/http.php index c3a890b796..8519d1834d 100644 --- a/wp-includes/http.php +++ b/wp-includes/http.php @@ -444,8 +444,9 @@ function send_origin_headers() { * @return mixed URL or false on failure. */ function wp_http_validate_url( $url ) { + $original_url = $url; $url = wp_kses_bad_protocol( $url, array( 'http', 'https' ) ); - if ( ! $url ) + if ( ! $url || strtolower( $url ) !== strtolower( $original_url ) ) return false; $parsed_url = @parse_url( $url ); @@ -455,7 +456,7 @@ function wp_http_validate_url( $url ) { if ( isset( $parsed_url['user'] ) || isset( $parsed_url['pass'] ) ) return false; - if ( false !== strpos( $parsed_url['host'], ':' ) ) + if ( false !== strpbrk( $parsed_url['host'], ':#?[]' ) ) return false; $parsed_home = @parse_url( get_option( 'home' ) ); @@ -473,8 +474,7 @@ function wp_http_validate_url( $url ) { } if ( $ip ) { $parts = array_map( 'intval', explode( '.', $ip ) ); - if ( '127.0.0.1' === $ip - || ( 10 === $parts[0] ) + if ( 127 === $parts[0] || 10 === $parts[0] || ( 172 === $parts[0] && 16 <= $parts[1] && 31 >= $parts[1] ) || ( 192 === $parts[0] && 168 === $parts[1] ) ) { diff --git a/wp-includes/version.php b/wp-includes/version.php index 542fb9312f..62075571c6 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -4,7 +4,7 @@ * * @global string $wp_version */ -$wp_version = '4.1-beta1-30438'; +$wp_version = '4.1-beta1-30443'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.