[wp-trac] [WordPress Trac] #24646: fetch_feed() returns WP_Error with "A valid URL was not provided"
WordPress Trac
noreply at wordpress.org
Tue Jul 2 15:01:27 UTC 2013
#24646: fetch_feed() returns WP_Error with "A valid URL was not provided"
--------------------------+--------------------
Reporter: husdaman | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 3.5.3
Component: Feeds | Version: 3.5.2
Severity: major | Resolution:
Keywords: |
--------------------------+--------------------
Comment (by nacin):
Replying to [comment:28 aaroncampbell]:
> Seems like it would be OK to allow traffic to ANY internal IP as long as
the existing site's domain also resolves to it. That would allow for
setups like mine where a few domains on a bank of servers are all pointed
to an internal IP for a load balancer.
It's not. The goal of a server-side request forgery is to trick the server
into sending an internally routed request when one is not desired. One may
sometimes be desired, but there's possibly a lot of internal things that
bank of servers can talk to, but shouldn't arbitrarily. Like, say, a
memcached server. The best firewalls can lock most of that chatter down,
but it's rare — your server will still need to connect to the memcached
server, but only on its terms, not the terms of an HTTP request with an
arbitrary URL.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/24646#comment:29>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list