Skip to content

Early filter invalid hosts in wp_http_validate_url() #10669

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
manhphuc wants to merge 11 commits into
base: trunk
Choose a base branch
from
Open

Early filter invalid hosts in wp_http_validate_url() #10669

Show file tree
Hide file tree
Changes from 7 commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
b89bec6
HTTP API: Early filter invalid hosts in wp_http_validate_url()
manhphuc Dec 30, 2025
1439d45
Validate non-IP hostnames early in wp_http_validate_url
manhphuc Dec 30, 2025
fc38d7a
HTTP: Early reject invalid hostnames in wp_http_validate_url()
manhphuc Dec 30, 2025
6c7eccb
Tests: fix inline alignment to satisfy PHPCS
manhphuc Dec 30, 2025
d8d86bd
Tests: remove duplicate IP case and fix array formatting
manhphuc Dec 30, 2025
aa5990c
Tests: fix array alignment for PHPCS
manhphuc Dec 30, 2025
fe877fd
HTTP: compute IPv4 host earlier
manhphuc Dec 31, 2025
0ad1fab
Update http.php
manhphuc Jan 2, 2026
889fe26
HTTP: use strict false check for filter_var()
manhphuc Jan 2, 2026
897b851
HTTP: avoid early invalid-host return for IPv4 addresses
manhphuc Jan 2, 2026
9f70512
HTTP: Avoid rejecting hosts with underscore subdomains
manhphuc Jan 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 16 additions & 1 deletion src/wp-includes/http.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -587,9 +587,24 @@ function wp_http_validate_url( $url ) {
$parsed_home = parse_url( get_option( 'home' ) );
$same_host = isset( $parsed_home['host'] ) && strtolower( $parsed_home['host'] ) === strtolower( $parsed_url['host'] );
$host = trim( $parsed_url['host'], '.' );
$is_ipv4 = (bool) preg_match(
'#^(([1-9]?\d|1\d\d|25[0-5]|2[0-4]\d)\.){3}([1-9]?\d|1\d\d|25[0-5]|2[0-4]\d)$#',
$host
);

if ( ! $same_host ) {
if ( preg_match( '#^(([1-9]?\d|1\d\d|25[0-5]|2[0-4]\d)\.){3}([1-9]?\d|1\d\d|25[0-5]|2[0-4]\d)$#', $host ) ) {
if (
! $is_ipv4
Copy link
Member

@SirLouen SirLouen Dec 31, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@manhphuc I think you are shortcircuiting a little late
We have the $parse_url['host'] available much earlier.

Also, ipv4 will return a truthy value, so doing this won't be disruptive for such addresses
https://3v4l.org/Jau1h

I recommend you to debug a bit to set it in the best place. See what kind of values you are receiving earlier.

Copy link
Author

@manhphuc manhphuc Dec 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the suggestion!

I’ve moved the IPv4 detection to right after normalizing $host, so it’s available earlier and reused in the ! $same_host branch. This keeps the behavior unchanged for IPv4 addresses, while avoiding the later short-circuit.

Let me know if you’d prefer it even earlier in the function.

Copy link
Member

@SirLouen SirLouen Jan 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The ipv4 check is totally irrelevant for this patch. Leave it where it is
What you should do is an earlier return in the filter. Ignore the ipv4 check this is why I gave you the 3v4l.org example.

Copy link
Member

@westonruter westonruter Jan 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about if it is an IPv6? Should the regex be updated to account for that?

Copy link
Author

@manhphuc manhphuc Jan 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The ipv4 check is totally irrelevant for this patch. Leave it where it is What you should do is an earlier return in the filter. Ignore the ipv4 check this is why I gave you the 3v4l.org example.

Thanks for the clarification!

I’ve removed the earlier $is_ipv4 refactor and kept the IPv4 handling where it was.
The early return now only applies when the host is not an IPv4 address and filter_var() reports it as invalid, before doing any DNS resolution.

Let me know if you’d like the IPv4 regex extraction into a helper/variable for readability, but I kept it inline to minimize churn.

Copy link
Author

@manhphuc manhphuc Jan 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about if it is an IPv6? Should the regex be updated to account for that?

Good question.

This change keeps the existing IP-handling behavior intact. IPv6 hosts are already rejected earlier in wp_http_validate_url() due to the current host character checks, so I didn’t expand the IPv4 regex here (to keep scope focused and avoid behavior changes).

If you think IPv6 support should be revisited in this area, I’m happy to follow up in a separate PR/ticket.

&& extension_loaded( 'filter' )
&& ! filter_var(
Copy link
Member

@westonruter westonruter Jan 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
&& ! filter_var(
&& false === filter_var(

Copy link
Author

@manhphuc manhphuc Jan 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch — updated to a strict false === filter_var() check to avoid loose negation and align with common core patterns. Thanks!

$host,
FILTER_VALIDATE_DOMAIN,
array( 'flags' => FILTER_FLAG_HOSTNAME )
)
) {
return false;
}
if ( $is_ipv4 ) {
$ip = $host;
} else {
$ip = gethostbyname( $host );
Expand Down
3 changes: 3 additions & 0 deletions tests/phpunit/tests/http/http.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -566,6 +566,9 @@ public function data_wp_http_validate_url_should_not_validate() {
'url' => 'https://example.com:81/caniload.php',
'cb_safe_ports' => 'callback_remove_safe_ports',
),
'underscore_in_hostname' => array(
'url' => 'https://foo_bar.example.com/',
),
);
}

Expand Down
Loading