diff options
Diffstat (limited to '')
-rw-r--r-- | wp-includes/http.php | 84 |
1 files changed, 57 insertions, 27 deletions
diff --git a/wp-includes/http.php b/wp-includes/http.php index e1738be..08756f6 100644 --- a/wp-includes/http.php +++ b/wp-includes/http.php @@ -27,15 +27,19 @@ function _wp_http_get_object() { } /** - * Retrieve the raw response from a safe HTTP request. + * Retrieves the raw response from a safe HTTP request. * * This function is ideal when the HTTP request is being made to an arbitrary - * URL. The URL is validated to avoid redirection and request forgery attacks. + * URL. The URL, and every URL it redirects to, are validated with wp_http_validate_url() + * to avoid Server Side Request Forgery attacks (SSRF). * * @since 3.6.0 * * @see wp_remote_request() For more information on the response array format. * @see WP_Http::request() For default arguments information. + * @see wp_http_validate_url() For more information about how the URL is validated. + * + * @link https://owasp.org/www-community/attacks/Server_Side_Request_Forgery * * @param string $url URL to retrieve. * @param array $args Optional. Request arguments. Default empty array. @@ -49,15 +53,19 @@ function wp_safe_remote_request( $url, $args = array() ) { } /** - * Retrieve the raw response from a safe HTTP request using the GET method. + * Retrieves the raw response from a safe HTTP request using the GET method. * * This function is ideal when the HTTP request is being made to an arbitrary - * URL. The URL is validated to avoid redirection and request forgery attacks. + * URL. The URL, and every URL it redirects to, are validated with wp_http_validate_url() + * to avoid Server Side Request Forgery attacks (SSRF). * * @since 3.6.0 * * @see wp_remote_request() For more information on the response array format. * @see WP_Http::request() For default arguments information. + * @see wp_http_validate_url() For more information about how the URL is validated. + * + * @link https://owasp.org/www-community/attacks/Server_Side_Request_Forgery * * @param string $url URL to retrieve. * @param array $args Optional. Request arguments. Default empty array. @@ -71,15 +79,19 @@ function wp_safe_remote_get( $url, $args = array() ) { } /** - * Retrieve the raw response from a safe HTTP request using the POST method. + * Retrieves the raw response from a safe HTTP request using the POST method. * * This function is ideal when the HTTP request is being made to an arbitrary - * URL. The URL is validated to avoid redirection and request forgery attacks. + * URL. The URL, and every URL it redirects to, are validated with wp_http_validate_url() + * to avoid Server Side Request Forgery attacks (SSRF). * * @since 3.6.0 * * @see wp_remote_request() For more information on the response array format. * @see WP_Http::request() For default arguments information. + * @see wp_http_validate_url() For more information about how the URL is validated. + * + * @link https://owasp.org/www-community/attacks/Server_Side_Request_Forgery * * @param string $url URL to retrieve. * @param array $args Optional. Request arguments. Default empty array. @@ -93,15 +105,19 @@ function wp_safe_remote_post( $url, $args = array() ) { } /** - * Retrieve the raw response from a safe HTTP request using the HEAD method. + * Retrieves the raw response from a safe HTTP request using the HEAD method. * * This function is ideal when the HTTP request is being made to an arbitrary - * URL. The URL is validated to avoid redirection and request forgery attacks. + * URL. The URL, and every URL it redirects to, are validated with wp_http_validate_url() + * to avoid Server Side Request Forgery attacks (SSRF). * * @since 3.6.0 * * @see wp_remote_request() For more information on the response array format. * @see WP_Http::request() For default arguments information. + * @see wp_http_validate_url() For more information about how the URL is validated. + * + * @link https://owasp.org/www-community/attacks/Server_Side_Request_Forgery * * @param string $url URL to retrieve. * @param array $args Optional. Request arguments. Default empty array. @@ -205,7 +221,7 @@ function wp_remote_head( $url, $args = array() ) { } /** - * Retrieve only the headers from the raw response. + * Retrieves only the headers from the raw response. * * @since 2.7.0 * @since 4.6.0 Return value changed from an array to an WpOrg\Requests\Utility\CaseInsensitiveDictionary instance. @@ -225,7 +241,7 @@ function wp_remote_retrieve_headers( $response ) { } /** - * Retrieve a single header by name from the raw response. + * Retrieves a single header by name from the raw response. * * @since 2.7.0 * @@ -247,7 +263,7 @@ function wp_remote_retrieve_header( $response, $header ) { } /** - * Retrieve only the response code from the raw response. + * Retrieves only the response code from the raw response. * * Will return an empty string if incorrect parameter value is given. * @@ -265,7 +281,7 @@ function wp_remote_retrieve_response_code( $response ) { } /** - * Retrieve only the response message from the raw response. + * Retrieves only the response message from the raw response. * * Will return an empty string if incorrect parameter value is given. * @@ -283,7 +299,7 @@ function wp_remote_retrieve_response_message( $response ) { } /** - * Retrieve only the body from the raw response. + * Retrieves only the body from the raw response. * * @since 2.7.0 * @@ -299,7 +315,7 @@ function wp_remote_retrieve_body( $response ) { } /** - * Retrieve only the cookies from the raw response. + * Retrieves only the cookies from the raw response. * * @since 4.4.0 * @@ -316,7 +332,7 @@ function wp_remote_retrieve_cookies( $response ) { } /** - * Retrieve a single cookie by name from the raw response. + * Retrieves a single cookie by name from the raw response. * * @since 4.4.0 * @@ -342,7 +358,7 @@ function wp_remote_retrieve_cookie( $response, $name ) { } /** - * Retrieve a single cookie's value by name from the raw response. + * Retrieves a single cookie's value by name from the raw response. * * @since 4.4.0 * @@ -395,7 +411,7 @@ function wp_http_supports( $capabilities = array(), $url = null ) { } /** - * Get the HTTP Origin of the current request. + * Gets the HTTP Origin of the current request. * * @since 3.4.0 * @@ -408,7 +424,7 @@ function get_http_origin() { } /** - * Change the origin of an HTTP request. + * Changes the origin of an HTTP request. * * @since 3.4.0 * @@ -418,7 +434,7 @@ function get_http_origin() { } /** - * Retrieve list of allowed HTTP origins. + * Retrieves list of allowed HTTP origins. * * @since 3.4.0 * @@ -439,7 +455,7 @@ function get_allowed_http_origins() { ); /** - * Change the origin types allowed for HTTP requests. + * Changes the origin types allowed for HTTP requests. * * @since 3.4.0 * @@ -475,7 +491,7 @@ function is_allowed_http_origin( $origin = null ) { } /** - * Change the allowed HTTP origin result. + * Changes the allowed HTTP origin result. * * @since 3.4.0 * @@ -486,7 +502,7 @@ function is_allowed_http_origin( $origin = null ) { } /** - * Send Access-Control-Allow-Origin and related headers if the current request + * Sends Access-Control-Allow-Origin and related headers if the current request * is from an allowed origin. * * If the request is an OPTIONS request, the script exits with either access @@ -519,7 +535,21 @@ function send_origin_headers() { } /** - * Validate a URL for safe use in the HTTP API. + * Validates a URL for safe use in the HTTP API. + * + * Examples of URLs that are considered unsafe: + * + * - ftp://example.com/caniload.php - Invalid protocol - only http and https are allowed. + * - http:///example.com/caniload.php - Malformed URL. + * - http://user:pass@example.com/caniload.php - Login information. + * - http://exampleeeee.com/caniload.php - Invalid hostname, as the IP cannot be looked up in DNS. + * + * Examples of URLs that are considered unsafe by default: + * + * - http://192.168.0.1/caniload.php - IPs from LAN networks. + * This can be changed with the {@see 'http_request_host_is_external'} filter. + * - http://198.143.164.252:81/caniload.php - By default, only 80, 443, and 8080 ports are allowed. + * This can be changed with the {@see 'http_allowed_safe_ports'} filter. * * @since 3.5.2 * @@ -571,7 +601,7 @@ function wp_http_validate_url( $url ) { ) { // If host appears local, reject unless specifically allowed. /** - * Check if HTTP request is external or not. + * Checks if HTTP request is external or not. * * Allows to change and allow external requests for the HTTP request. * @@ -618,7 +648,7 @@ function wp_http_validate_url( $url ) { } /** - * Mark allowed redirect hosts safe for HTTP requests as well. + * Marks allowed redirect hosts safe for HTTP requests as well. * * Attached to the {@see 'http_request_host_is_external'} filter. * @@ -719,7 +749,7 @@ function wp_parse_url( $url, $component = -1 ) { } /** - * Retrieve a specific component from a parsed URL array. + * Retrieves a specific component from a parsed URL array. * * @internal * @@ -751,7 +781,7 @@ function _get_component_from_parsed_url_array( $url_parts, $component = -1 ) { } /** - * Translate a PHP_URL_* constant to the named array keys PHP uses. + * Translates a PHP_URL_* constant to the named array keys PHP uses. * * @internal * |