[wp-trac] [WordPress Trac] #23350: Pingback Denial of Service Fix - filter_var based IP validation
WordPress Trac
noreply at wordpress.org
Fri Feb 1 02:37:22 UTC 2013
#23350: Pingback Denial of Service Fix - filter_var based IP validation
------------------------------+------------------------------
Reporter: hakre | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Pings/Trackbacks | Version: 3.5.1
Severity: normal | Resolution:
Keywords: has-patch |
------------------------------+------------------------------
Comment (by nacin):
This was an SSRF fix, not directly a DoS fix. #4137 remains valid.
I generally just opt for what was done here, but sure, strcasecmp() is
fine.
filter_var() was deliberately avoided because it has numerous bugs in
5.2.x and 5.3.x, in particular IDN domains but other bugs (IIRC) as well.
Colons in hostnames and trimming the hostname for dots were both
deliberate. I'll publicly commit our extensive unit tests in the near
future.
At a glance , your isset() appears proper.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/23350#comment:1>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list