Skip to content

Commit 7a3a0fa

Browse files
audrasjbaudrasjb
committed
Docs: Improve wp_remote_safe_* and wp_http_validate_url docblocks.
Props benjaminpick, audrasjb. Fixes #61092. git-svn-id: https://develop.svn.wordpress.org/trunk@58384 602fd350-edb4-49c9-b593-d223f7449a82
1 parent 2778f48 commit 7a3a0fa

File tree

1 file changed

+32
-4
lines changed

1 file changed

+32
-4
lines changed

src/wp-includes/http.php

Lines changed: 32 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -30,13 +30,17 @@ function _wp_http_get_object() {
3030
* Retrieve the raw response from a safe HTTP request.
3131
*
3232
* This function is ideal when the HTTP request is being made to an arbitrary
33-
* URL. The URL is validated to avoid redirection and request forgery attacks.
33+
* URL. The URL, and every URL it redirects to, are validated with wp_http_validate_url()
34+
* to avoid Server Side Request Forgery attacks (SSRF).
3435
*
3536
* @since 3.6.0
3637
*
3738
* @see wp_remote_request() For more information on the response array format.
3839
* @see WP_Http::request() For default arguments information.
40+
* @see wp_http_validate_url() For more information about how the URL is validated.
3941
*
42+
* @link https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
43+
*
4044
* @param string $url URL to retrieve.
4145
* @param array $args Optional. Request arguments. Default empty array.
4246
* See WP_Http::request() for information on accepted arguments.
@@ -52,12 +56,16 @@ function wp_safe_remote_request( $url, $args = array() ) {
5256
* Retrieve the raw response from a safe HTTP request using the GET method.
5357
*
5458
* This function is ideal when the HTTP request is being made to an arbitrary
55-
* URL. The URL is validated to avoid redirection and request forgery attacks.
59+
* URL. The URL, and every URL it redirects to, are validated with wp_http_validate_url()
60+
* to avoid Server Side Request Forgery attacks (SSRF).
5661
*
5762
* @since 3.6.0
5863
*
5964
* @see wp_remote_request() For more information on the response array format.
6065
* @see WP_Http::request() For default arguments information.
66+
* @see wp_http_validate_url() For more information about how the URL is validated.
67+
*
68+
* @link https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
6169
*
6270
* @param string $url URL to retrieve.
6371
* @param array $args Optional. Request arguments. Default empty array.
@@ -74,12 +82,16 @@ function wp_safe_remote_get( $url, $args = array() ) {
7482
* Retrieve the raw response from a safe HTTP request using the POST method.
7583
*
7684
* This function is ideal when the HTTP request is being made to an arbitrary
77-
* URL. The URL is validated to avoid redirection and request forgery attacks.
85+
* URL. The URL, and every URL it redirects to, are validated with wp_http_validate_url()
86+
* to avoid Server Side Request Forgery attacks (SSRF).
7887
*
7988
* @since 3.6.0
8089
*
8190
* @see wp_remote_request() For more information on the response array format.
8291
* @see WP_Http::request() For default arguments information.
92+
* @see wp_http_validate_url() For more information about how the URL is validated.
93+
*
94+
* @link https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
8395
*
8496
* @param string $url URL to retrieve.
8597
* @param array $args Optional. Request arguments. Default empty array.
@@ -96,12 +108,16 @@ function wp_safe_remote_post( $url, $args = array() ) {
96108
* Retrieve the raw response from a safe HTTP request using the HEAD method.
97109
*
98110
* This function is ideal when the HTTP request is being made to an arbitrary
99-
* URL. The URL is validated to avoid redirection and request forgery attacks.
111+
* URL. The URL, and every URL it redirects to, are validated with wp_http_validate_url()
112+
* to avoid Server Side Request Forgery attacks (SSRF).
100113
*
101114
* @since 3.6.0
102115
*
103116
* @see wp_remote_request() For more information on the response array format.
104117
* @see WP_Http::request() For default arguments information.
118+
* @see wp_http_validate_url() For more information about how the URL is validated.
119+
*
120+
* @link https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
105121
*
106122
* @param string $url URL to retrieve.
107123
* @param array $args Optional. Request arguments. Default empty array.
@@ -521,6 +537,18 @@ function send_origin_headers() {
521537
/**
522538
* Validate a URL for safe use in the HTTP API.
523539
*
540+
* Examples of URLs that are considered unsafe:
541+
*
542+
* - ftp://example.com/caniload.php (Invalid protocol - Only http and https are allowed)
543+
* - http:///example.com/caniload.php (Malformed URL)
544+
* - http://user:[email protected]/caniload.php (Login information)
545+
* - http://exampleeeee.com/caniload.php (Invalid hostname, as the IP cannot be looked up in DNS)
546+
*
547+
* Examples of URLS that are considered unsafe by default:
548+
*
549+
* - http://192.168.0.1/caniload.php (IPs from LAN networks. This can be changed with the Wordpress filter http_request_host_is_external)
550+
* - http://198.143.164.252:81/caniload.php (By default, only 80, 443 and 8080 are allowed. This can be changed with the Wordpress filter http_allowed_safe_ports)
551+
*
524552
* @since 3.5.2
525553
*
526554
* @param string $url Request URL.

0 commit comments

Comments
 (0)