[wp-trac] [WordPress Trac] #61092: Does wp_safe_remote_get really disable redirects? (Documentation)
WordPress Trac
noreply at wordpress.org
Sun Apr 28 09:14:18 UTC 2024
#61092: Does wp_safe_remote_get really disable redirects? (Documentation)
--------------------------+-----------------------------
Reporter: benjaminpick | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version:
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
The documentation of wp_safe_remote_get says
"The URL is validated to avoid redirection and request forgery attacks."
However, there is no code preventing redirects - it is "only" validating
the request URL.
P.S. - Oh, maybe the sentence is worded ambigiously. It could be read as:
The URL is validated to avoid
- redirection and
- request
forgery attacks.
But also as (and that's how I read it):
The URL is validated to avoid
- redirection and
- request forgery attacks.
May I suggest to elaborate the documentation, e.g. as in #60934:
"This is intended to protect against SSRF attacks, in which an application
is 'tricked' to request non-public resources and expose them publicly
through the accessible endpoint. We additionally protect against
redirection attacks used to start a SSRF attack."
--
Ticket URL: <https://core.trac.wordpress.org/ticket/61092>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list