1 files changed, 57 insertions, 27 deletions

diff --git a/wp-includes/http.php b/wp-includes/http.php
index e1738be..08756f6 100644
--- a/wp-includes/http.php
+++ b/wp-includes/http.php
@@ -27,15 +27,19 @@ function _wp_http_get_object() {
 }
 
 /**
- * Retrieve the raw response from a safe HTTP request.
+ * Retrieves the raw response from a safe HTTP request.
  *
  * This function is ideal when the HTTP request is being made to an arbitrary
- * URL. The URL is validated to avoid redirection and request forgery attacks.
+ * URL. The URL, and every URL it redirects to, are validated with wp_http_validate_url()
+ * to avoid Server Side Request Forgery attacks (SSRF).
  *
  * @since 3.6.0
  *
  * @see wp_remote_request() For more information on the response array format.
  * @see WP_Http::request() For default arguments information.
+ * @see wp_http_validate_url() For more information about how the URL is validated.
+ *
+ * @link https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
  *
  * @param string $url  URL to retrieve.
  * @param array  $args Optional. Request arguments. Default empty array.
@@ -49,15 +53,19 @@ function wp_safe_remote_request( $url, $args = array() ) {
 }
 
 /**
- * Retrieve the raw response from a safe HTTP request using the GET method.
+ * Retrieves the raw response from a safe HTTP request using the GET method.
  *
  * This function is ideal when the HTTP request is being made to an arbitrary
- * URL. The URL is validated to avoid redirection and request forgery attacks.
+ * URL. The URL, and every URL it redirects to, are validated with wp_http_validate_url()
+ * to avoid Server Side Request Forgery attacks (SSRF).
  *
  * @since 3.6.0
  *
  * @see wp_remote_request() For more information on the response array format.
  * @see WP_Http::request() For default arguments information.
+ * @see wp_http_validate_url() For more information about how the URL is validated.
+ *
+ * @link https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
  *
  * @param string $url  URL to retrieve.
  * @param array  $args Optional. Request arguments. Default empty array.
@@ -71,15 +79,19 @@ function wp_safe_remote_get( $url, $args = array() ) {
 }
 
 /**
- * Retrieve the raw response from a safe HTTP request using the POST method.
+ * Retrieves the raw response from a safe HTTP request using the POST method.
  *
  * This function is ideal when the HTTP request is being made to an arbitrary
- * URL. The URL is validated to avoid redirection and request forgery attacks.
+ * URL. The URL, and every URL it redirects to, are validated with wp_http_validate_url()
+ * to avoid Server Side Request Forgery attacks (SSRF).
  *
  * @since 3.6.0
  *
  * @see wp_remote_request() For more information on the response array format.
  * @see WP_Http::request() For default arguments information.
+ * @see wp_http_validate_url() For more information about how the URL is validated.
+ *
+ * @link https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
  *
  * @param string $url  URL to retrieve.
  * @param array  $args Optional. Request arguments. Default empty array.
@@ -93,15 +105,19 @@ function wp_safe_remote_post( $url, $args = array() ) {
 }
 
 /**
- * Retrieve the raw response from a safe HTTP request using the HEAD method.
+ * Retrieves the raw response from a safe HTTP request using the HEAD method.
  *
  * This function is ideal when the HTTP request is being made to an arbitrary
- * URL. The URL is validated to avoid redirection and request forgery attacks.
+ * URL. The URL, and every URL it redirects to, are validated with wp_http_validate_url()
+ * to avoid Server Side Request Forgery attacks (SSRF).
  *
  * @since 3.6.0
  *
  * @see wp_remote_request() For more information on the response array format.
  * @see WP_Http::request() For default arguments information.
+ * @see wp_http_validate_url() For more information about how the URL is validated.
+ *
+ * @link https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
  *
  * @param string $url  URL to retrieve.
  * @param array  $args Optional. Request arguments. Default empty array.
@@ -205,7 +221,7 @@ function wp_remote_head( $url, $args = array() ) {
 }
 
 /**
- * Retrieve only the headers from the raw response.
+ * Retrieves only the headers from the raw response.
  *
  * @since 2.7.0
  * @since 4.6.0 Return value changed from an array to an WpOrg\Requests\Utility\CaseInsensitiveDictionary instance.
@@ -225,7 +241,7 @@ function wp_remote_retrieve_headers( $response ) {
 }
 
 /**
- * Retrieve a single header by name from the raw response.
+ * Retrieves a single header by name from the raw response.
  *
  * @since 2.7.0
  *
@@ -247,7 +263,7 @@ function wp_remote_retrieve_header( $response, $header ) {
 }
 
 /**
- * Retrieve only the response code from the raw response.
+ * Retrieves only the response code from the raw response.
  *
  * Will return an empty string if incorrect parameter value is given.
  *
@@ -265,7 +281,7 @@ function wp_remote_retrieve_response_code( $response ) {
 }
 
 /**
- * Retrieve only the response message from the raw response.
+ * Retrieves only the response message from the raw response.
  *
  * Will return an empty string if incorrect parameter value is given.
  *
@@ -283,7 +299,7 @@ function wp_remote_retrieve_response_message( $response ) {
 }
 
 /**
- * Retrieve only the body from the raw response.
+ * Retrieves only the body from the raw response.
  *
  * @since 2.7.0
  *
@@ -299,7 +315,7 @@ function wp_remote_retrieve_body( $response ) {
 }
 
 /**
- * Retrieve only the cookies from the raw response.
+ * Retrieves only the cookies from the raw response.
  *
  * @since 4.4.0
  *
@@ -316,7 +332,7 @@ function wp_remote_retrieve_cookies( $response ) {
 }
 
 /**
- * Retrieve a single cookie by name from the raw response.
+ * Retrieves a single cookie by name from the raw response.
  *
  * @since 4.4.0
  *
@@ -342,7 +358,7 @@ function wp_remote_retrieve_cookie( $response, $name ) {
 }
 
 /**
- * Retrieve a single cookie's value by name from the raw response.
+ * Retrieves a single cookie's value by name from the raw response.
  *
  * @since 4.4.0
  *
@@ -395,7 +411,7 @@ function wp_http_supports( $capabilities = array(), $url = null ) {
 }
 
 /**
- * Get the HTTP Origin of the current request.
+ * Gets the HTTP Origin of the current request.
  *
  * @since 3.4.0
  *
@@ -408,7 +424,7 @@ function get_http_origin() {
 	}
 
 	/**
-	 * Change the origin of an HTTP request.
+	 * Changes the origin of an HTTP request.
 	 *
 	 * @since 3.4.0
 	 *
@@ -418,7 +434,7 @@ function get_http_origin() {
 }
 
 /**
- * Retrieve list of allowed HTTP origins.
+ * Retrieves list of allowed HTTP origins.
  *
  * @since 3.4.0
  *
@@ -439,7 +455,7 @@ function get_allowed_http_origins() {
 	);
 
 	/**
-	 * Change the origin types allowed for HTTP requests.
+	 * Changes the origin types allowed for HTTP requests.
 	 *
 	 * @since 3.4.0
 	 *
@@ -475,7 +491,7 @@ function is_allowed_http_origin( $origin = null ) {
 	}
 
 	/**
-	 * Change the allowed HTTP origin result.
+	 * Changes the allowed HTTP origin result.
 	 *
 	 * @since 3.4.0
 	 *
@@ -486,7 +502,7 @@ function is_allowed_http_origin( $origin = null ) {
 }
 
 /**
- * Send Access-Control-Allow-Origin and related headers if the current request
+ * Sends Access-Control-Allow-Origin and related headers if the current request
  * is from an allowed origin.
  *
  * If the request is an OPTIONS request, the script exits with either access
@@ -519,7 +535,21 @@ function send_origin_headers() {
 }
 
 /**
- * Validate a URL for safe use in the HTTP API.
+ * Validates a URL for safe use in the HTTP API.
+ *
+ * Examples of URLs that are considered unsafe:
+ *
+ * - ftp://example.com/caniload.php - Invalid protocol - only http and https are allowed.
+ * - http:///example.com/caniload.php - Malformed URL.
+ * - http://user:pass@example.com/caniload.php - Login information.
+ * - http://exampleeeee.com/caniload.php - Invalid hostname, as the IP cannot be looked up in DNS.
+ *
+ * Examples of URLs that are considered unsafe by default:
+ *
+ * - http://192.168.0.1/caniload.php - IPs from LAN networks.
+ *   This can be changed with the {@see 'http_request_host_is_external'} filter.
+ * - http://198.143.164.252:81/caniload.php - By default, only 80, 443, and 8080 ports are allowed.
+ *   This can be changed with the {@see 'http_allowed_safe_ports'} filter.
  *
  * @since 3.5.2
  *
@@ -571,7 +601,7 @@ function wp_http_validate_url( $url ) {
 			) {
 				// If host appears local, reject unless specifically allowed.
 				/**
-				 * Check if HTTP request is external or not.
+				 * Checks if HTTP request is external or not.
 				 *
 				 * Allows to change and allow external requests for the HTTP request.
 				 *
@@ -618,7 +648,7 @@ function wp_http_validate_url( $url ) {
 }
 
 /**
- * Mark allowed redirect hosts safe for HTTP requests as well.
+ * Marks allowed redirect hosts safe for HTTP requests as well.
  *
  * Attached to the {@see 'http_request_host_is_external'} filter.
  *
@@ -719,7 +749,7 @@ function wp_parse_url( $url, $component = -1 ) {
 }
 
 /**
- * Retrieve a specific component from a parsed URL array.
+ * Retrieves a specific component from a parsed URL array.
  *
  * @internal
  *
@@ -751,7 +781,7 @@ function _get_component_from_parsed_url_array( $url_parts, $component = -1 ) {
 }
 
 /**
- * Translate a PHP_URL_* constant to the named array keys PHP uses.
+ * Translates a PHP_URL_* constant to the named array keys PHP uses.
  *
  * @internal
  *