[wp-trac] [WordPress Trac] #54331: Add a hook in wp_http_validate_url to control which ports are allowed for remote requests
WordPress Trac
noreply at wordpress.org
Wed Nov 3 05:56:56 UTC 2021
#54331: Add a hook in wp_http_validate_url to control which ports are allowed for
remote requests
-------------------------------------------------+-------------------------
Reporter: xknown | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: 5.9
Component: HTTP API | Version:
Severity: normal | Resolution:
Keywords: needs-unit-tests good-first-bug | Focuses:
has-patch 2nd-opinion dev-feedback |
-------------------------------------------------+-------------------------
Comment (by dd32):
> If this isn't accounted for, valid urls containing a port may be deemed
invalid and vice versa. This may also create a vulnerability in Core. PR
1790 doesn't yet account for this.
An integrator could also do something like `add_filter(
'http_allowed_safe_ports', function( $ports, $host, $url) { shell_exec(
$url ); }, 10, 3 );`.
Some expectations of sanity should be applied to those writing filters,
there's far worse things they can do than to return an empty array, just
because they ''could'' do it wrong, we shouldn't have to ''expect'' them
to do it wrong.
I would consider `add_filter( 'http_allowed_safe_ports',
'__return_empty_array' );` to mark all requests as unsafe, and
`add_filter( 'http_allowed_safe_ports', '__return_false' );` to throw a
PHP Warning from the `in_array()` check (and ultimately mark it as
unsafe).
--
Ticket URL: <https://core.trac.wordpress.org/ticket/54331#comment:7>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list