[wp-trac] [WordPress Trac] #48761: Update of WP-core, themes and Plugins fails behind a firewall

WordPress Trac noreply at wordpress.org
Fri Nov 22 08:21:24 UTC 2019 

#48761: Update of WP-core, themes and Plugins fails behind a firewall
--------------------------+-----------------------------
 Reporter:  karlte        |      Owner:  (none)
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  HTTP API      |    Version:  5.3
 Severity:  major         |   Keywords:  needs-patch
  Focuses:                |
--------------------------+-----------------------------
 Hello to all!

 Please excuse, that i am reporting #48509 again, but i am not familiar
 with
 the bug track (second time for me) and don't know, how to move the ticket
 to the new version. It is not possible (for me), to select a higher
 version than 5.2.4 in the original #48509.

 The error in ticket 48509 continues in Version 5.3.
 Because i am using wordpress behind a firewall, it is very important, that
 updates etc. are working. This error avoid correct operation behind a
 firewall.

 Here is 48509 again:
 Thank you very much for creating wordpress and giving me the chance to
 report a bug.
 I am working in a governmental organization, which uses a big firewall to
 protect
 themselves agains the attacks from the internet.

 The error appeared first in version 5.2.4, in versions before all went
 well.

 I have set the severity to "major", because you can't use any of the
 update functions
 of wordpress behind a firewall anymore.

 I found out the following:

 In wp-includes/http.php in version 5.2.4 the following changes in function
 wp_http_validate_url() take part:

 {{{#!php
 <?php
 //-------------- wp-includes/http.php version 5.2.4
 -----------------------------
 ...
 551         if ( ! $same_host ) {
 552                 $host = trim( $parsed_url['host'], '.' );
 553                 if ( preg_match(
 '#^(([1-9]?\d|1\d\d|25[0-5]|2[0-4]\d)\.){3}([1-9]?\d|1\d\d|25[0-5]|2[0-4]\d)$#',
 $host ) ) {
 554                         $ip = $host;
 555                 } else {
 556                         $ip = gethostbyname( $host );
 557                         if ( $ip === $host ) { // Error condition for
 gethostbyname()
 ///////////////////////////////////////////////////////
 558                                 return false; // <---- This is in
 version 5.2.4
 ///////////////////////////////////////////////////////
 559                         }
 560                 }
 561                 if ( $ip ) {
 562                         $parts = array_map( 'intval', explode( '.',
 $ip ) );
 563                         if ( 127 === $parts[0] || 10 === $parts[0] ||
 0 === $parts[0]
 564                                 || ( 172 === $parts[0] && 16 <=
 $parts[1] && 31 >= $parts[1] )
 565                                 || ( 192 === $parts[0] && 168 ===
 $parts[1] )
 566                         ) {
 ...
 //--------------------------------------------------------------------------------

 }}}

  Since this change updates of wp-core, install and update of plugins
 and/or themes are not(!!) successful.

 In version 5.2.3 all went well and i show you the corresponding lines:

 {{{#!php
 <?php

 //-------------- wp-includes/http.php version 5.2.3
 ------------------------------
 ...
 551         if ( ! $same_host ) {
 552                 $host = trim( $parsed_url['host'], '.' );
 553                 if ( preg_match(
 '#^(([1-9]?\d|1\d\d|25[0-5]|2[0-4]\d)\.){3}([1-9]?\d|1\d\d|25[0-5]|2[0-4]\d)$#',
 $host ) ) {
 554                         $ip = $host;
 555                 } else {
 556                         $ip = gethostbyname( $host );
 557                         if ( $ip === $host ) { // Error condition for
 gethostbyname()
 ////////////////////////////////////////////////
 558                                 $ip = false;  // this works fine
 behind firewall
 ////////////////////////////////////////////////
 559                         }
 560                 }
 561                 if ( $ip ) {
 562                         $parts = array_map( 'intval', explode( '.',
 $ip ) );
 563                         if ( 127 === $parts[0] || 10 === $parts[0] ||
 0 === $parts[0]
 564                                 || ( 172 === $parts[0] && 16 <=
 $parts[1] && 31 >= $parts[1] )
 565                                 || ( 192 === $parts[0] && 168 ===
 $parts[1] )
 566                         ) {
 ...
 //--------------------------------------------------------------------------------

 }}}

  The reason is the php-function "gethostbyname()", which returns an ip-
 number to a given host.
 Behind a firewall you will find typically no dns-resolving of internet
 host names. In this
 case gethostbyname() does not return an ip-number, it returns the host
 name. Therefore the
 condition in line 557 becomes "true" and the result of
 wp_http_validate_url() is false.
 This produces the error 'A valid URL was not provided.' in public function
 request in
 wp-includes/class-http.php

 I hope, that helps you to enhance wordpress. I change the 558 back to
 version 5.2.3
 and wordpress works as good as ever behind a firewall.

 Greetings karlte

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/48761>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list