[wp-trac] [WordPress Trac] #48509: Update of WP-core, themes and Plugins fails behind a firewall

WordPress Trac noreply at wordpress.org
Wed Nov 6 11:04:55 UTC 2019


#48509: Update of WP-core, themes and Plugins fails behind a firewall
----------------------------+-----------------------------
 Reporter:  karlte          |      Owner:  (none)
     Type:  defect (bug)    |     Status:  new
 Priority:  normal          |  Milestone:  Awaiting Review
Component:  HTTP API        |    Version:  5.2.4
 Severity:  major           |   Keywords:  needs-patch
  Focuses:  administration  |
----------------------------+-----------------------------
 Hello to all!

 Thank you very much for creating wordpress and giving me the chance to
 report a bug.
 I am working in a governmental organization, which uses a big firewall to
 protect
 themselves agains the attacks from the internet.

 The error appeared first in version 5.2.4, in versions before all went
 well.

 I have set the severity to "major", because you can't use any of the
 update functions
 of wordpress behind a firewall anymore.

 I found out the following:

 In wp-includes/http.php in version 5.2.4 the following changes in function
 wp_http_validate_url() take part:

 {{{#!php
 <?php


 -------------- wp-includes/http.php version 5.2.4
 -----------------------------
 ...
 551         if ( ! $same_host ) {
 552                 $host = trim( $parsed_url['host'], '.' );
 553                 if ( preg_match(
 '#^(([1-9]?\d|1\d\d|25[0-5]|2[0-4]\d)\.){3}([1-9]?\d|1\d\d|25[0-5]|2[0-4]\d)$#',
 $host ) ) {
 554                         $ip = $host;
 555                 } else {
 556                         $ip = gethostbyname( $host );
 557                         if ( $ip === $host ) { // Error condition for
 gethostbyname()
 ///////////////////////////////////////////////////////
 558                                 return false; // <---- This is in
 version 5.2.4
 ///////////////////////////////////////////////////////
 559                         }
 560                 }
 561                 if ( $ip ) {
 562                         $parts = array_map( 'intval', explode( '.',
 $ip ) );
 563                         if ( 127 === $parts[0] || 10 === $parts[0] ||
 0 === $parts[0]
 564                                 || ( 172 === $parts[0] && 16 <=
 $parts[1] && 31 >= $parts[1] )
 565                                 || ( 192 === $parts[0] && 168 ===
 $parts[1] )
 566                         ) {
 ...
 --------------------------------------------------------------------------------
 }}}
 Since this change updates of wp-core, install and update of plugins and/or
 themes are not(!!) successful.

 In version 5.2.3 all went well and i show you the corresponding lines:

 {{{#!php
 <?php

 //-------------- wp-includes/http.php version 5.2.3
 ------------------------------
 ...
 551         if ( ! $same_host ) {
 552                 $host = trim( $parsed_url['host'], '.' );
 553                 if ( preg_match(
 '#^(([1-9]?\d|1\d\d|25[0-5]|2[0-4]\d)\.){3}([1-9]?\d|1\d\d|25[0-5]|2[0-4]\d)$#',
 $host ) ) {
 554                         $ip = $host;
 555                 } else {
 556                         $ip = gethostbyname( $host );
 557                         if ( $ip === $host ) { // Error condition for
 gethostbyname()
 ////////////////////////////////////////////////
 558                                 $ip = false;  // this works fine
 behind firewall
 ////////////////////////////////////////////////
 559                         }
 560                 }
 561                 if ( $ip ) {
 562                         $parts = array_map( 'intval', explode( '.',
 $ip ) );
 563                         if ( 127 === $parts[0] || 10 === $parts[0] ||
 0 === $parts[0]
 564                                 || ( 172 === $parts[0] && 16 <=
 $parts[1] && 31 >= $parts[1] )
 565                                 || ( 192 === $parts[0] && 168 ===
 $parts[1] )
 566                         ) {
 ...
 //--------------------------------------------------------------------------------

 }}}

 The reason is the php-function "gethostbyname()", which returns an ip-
 number to a given host.
 Behind a firewall you will find typically no dns-resolving of internet
 host names. In this
 case gethostbyname() does not return an ip-number, it returns the host
 name. Therefor the
 condition in line 557 becomes "true" and the result of
 wp_http_validate_url() is false.
 This produces the error '**A valid URL was not provided.**' in public
 function request in
 wp-includes/class-http.php

 I hope, that helps you to enhance wordpress. I change the 558 back to
 version 5.2.3
 and wordpress works as good as ever behind a firewall.

 Greetings karlte

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/48509>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list