[wp-trac] [WordPress Trac] #40784: WP_HTTP_IXR_Client constructor needs to check that $server is valid

WordPress Trac noreply at wordpress.org
Wed May 17 12:11:29 UTC 2017 

#40784: WP_HTTP_IXR_Client constructor needs to check that $server is valid
---------------------------+-----------------------------
 Reporter:  chrispecoraro  |      Owner:
     Type:  defect (bug)   |     Status:  new
 Priority:  normal         |  Milestone:  Awaiting Review
Component:  General        |    Version:  4.7.4
 Severity:  normal         |   Keywords:
  Focuses:                 |
---------------------------+-----------------------------
 ErrorException is thrown: {{{Undefined index: host}}} and {{{Undefined
 index: scheme }}}

 When WP_HTTP_IXR_Client is instantiated in {{{pingback()}}}, {{{$path}}}
 is checked, but {{{$server}}} may still be invalid or false, which sends
 an invalid URL to {{{parse_url()}}}.

 Instantiation:
 {{{ $client = new WP_HTTP_IXR_Client($pingback_server_url); }}}

 Excerpt from class:
 {{{#!php
 <?php
 class WP_HTTP_IXR_Client extends IXR_Client {
         public $scheme;
         /**
          * @var IXR_Error
          */
         public $error;

         /**
          * @param string $server
          * @param string|bool $path
          * @param int|bool $port
          * @param int $timeout
          */
         public function __construct($server, $path = false, $port = false,
 $timeout = 15) {
                 if ( ! $path ) {
                         // Assume we have been given a URL instead
                         $bits = parse_url($server);
                         $this->scheme = $bits['scheme'];
                         $this->server = $bits['host'];
                         ...

 }}}


 In the code that instantiates {{{WP_HTTP_IXR_Client}}}, it is clear that
 {{{discover_pingback_server_uri}}} could return false, which then gets
 passed as a constructor parameter.

 Relevant code block:
 {{{
 $pingback_server_url = discover_pingback_server_uri( $pagelinkedto );

                 if ( $pingback_server_url ) {
                         @ set_time_limit( 60 );
                         // Now, the RPC call
                         $pagelinkedfrom = get_permalink( $post );

                         // using a timeout of 3 seconds should be enough
 to cover slow servers
                         $client = new
 WP_HTTP_IXR_Client($pingback_server_url);
                         $client->timeout = 3;
 }}}

 Possible resolution:

 {{{filter_var($server, FILTER_VALIDATE_URL) }}} should be used to test the
 URL prior to {{{parse_url($server)}}}

--
Ticket URL: <https://core.trac.wordpress.org/ticket/40784>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list