Skip to content

Commit 6d26f58

Browse files
johnbillionjohnbillion
committed
HTTP API: Various improvements to the docblocks for HTTP functions.
See #63166 git-svn-id: https://develop.svn.wordpress.org/trunk@60652 602fd350-edb4-49c9-b593-d223f7449a82
1 parent 66f3fa0 commit 6d26f58

File tree

2 files changed

+32
-20
lines changed

2 files changed

+32
-20
lines changed

src/wp-includes/class-wp-http.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -264,7 +264,7 @@ public function request( $url, $args = array() ) {
264264
*
265265
* - An array containing 'headers', 'body', 'response', 'cookies', and 'filename' elements
266266
* - A WP_Error instance
267-
* - boolean false to avoid short-circuiting the response
267+
* - Boolean false to avoid short-circuiting the response
268268
*
269269
* Returning any other value may result in unexpected behavior.
270270
*

src/wp-includes/http.php

Lines changed: 31 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,8 @@ function _wp_http_get_object() {
3333
* URL. The URL, and every URL it redirects to, are validated with wp_http_validate_url()
3434
* to avoid Server Side Request Forgery attacks (SSRF).
3535
*
36+
* The only supported protocols are `http` and `https`.
37+
*
3638
* @since 3.6.0
3739
*
3840
* @see wp_remote_request() For more information on the response array format.
@@ -60,6 +62,8 @@ function wp_safe_remote_request( $url, $args = array() ) {
6062
* URL. The URL, and every URL it redirects to, are validated with wp_http_validate_url()
6163
* to avoid Server Side Request Forgery attacks (SSRF).
6264
*
65+
* The only supported protocols are `http` and `https`.
66+
*
6367
* @since 3.6.0
6468
*
6569
* @see wp_remote_request() For more information on the response array format.
@@ -87,6 +91,8 @@ function wp_safe_remote_get( $url, $args = array() ) {
8791
* URL. The URL, and every URL it redirects to, are validated with wp_http_validate_url()
8892
* to avoid Server Side Request Forgery attacks (SSRF).
8993
*
94+
* The only supported protocols are `http` and `https`.
95+
*
9096
* @since 3.6.0
9197
*
9298
* @see wp_remote_request() For more information on the response array format.
@@ -114,6 +120,8 @@ function wp_safe_remote_post( $url, $args = array() ) {
114120
* URL. The URL, and every URL it redirects to, are validated with wp_http_validate_url()
115121
* to avoid Server Side Request Forgery attacks (SSRF).
116122
*
123+
* The only supported protocols are `http` and `https`.
124+
*
117125
* @since 3.6.0
118126
*
119127
* @see wp_remote_request() For more information on the response array format.
@@ -143,6 +151,8 @@ function wp_safe_remote_head( $url, $args = array() ) {
143151
* - Default 'POST' for wp_remote_post()
144152
* - Default 'HEAD' for wp_remote_head()
145153
*
154+
* Important: If the URL is user-controlled, use `wp_safe_remote_request()` instead.
155+
*
146156
* @since 2.7.0
147157
*
148158
* @see WP_Http::request() For information on default arguments.
@@ -161,6 +171,8 @@ function wp_remote_request( $url, $args = array() ) {
161171
/**
162172
* Performs an HTTP request using the GET method and returns its response.
163173
*
174+
* Important: If the URL is user-controlled, use `wp_safe_remote_get()` instead.
175+
*
164176
* @since 2.7.0
165177
*
166178
* @see wp_remote_request() For more information on the response array format.
@@ -180,6 +192,8 @@ function wp_remote_get( $url, $args = array() ) {
180192
/**
181193
* Performs an HTTP request using the POST method and returns its response.
182194
*
195+
* Important: If the URL is user-controlled, use `wp_safe_remote_post()` instead.
196+
*
183197
* @since 2.7.0
184198
*
185199
* @see wp_remote_request() For more information on the response array format.
@@ -199,6 +213,8 @@ function wp_remote_post( $url, $args = array() ) {
199213
/**
200214
* Performs an HTTP request using the HEAD method and returns its response.
201215
*
216+
* Important: If the URL is user-controlled, use `wp_safe_remote_head()` instead.
217+
*
202218
* @since 2.7.0
203219
*
204220
* @see wp_remote_request() For more information on the response array format.
@@ -421,7 +437,7 @@ function get_http_origin() {
421437
*
422438
* @since 3.4.0
423439
*
424-
* @param string $origin The original origin for the request.
440+
* @param string $origin The HTTP origin for the request.
425441
*/
426442
return apply_filters( 'http_origin', $origin );
427443
}
@@ -452,14 +468,7 @@ function get_allowed_http_origins() {
452468
*
453469
* @since 3.4.0
454470
*
455-
* @param string[] $allowed_origins {
456-
* Array of default allowed HTTP origins.
457-
*
458-
* @type string $0 Non-secure URL for admin origin.
459-
* @type string $1 Secure URL for admin origin.
460-
* @type string $2 Non-secure URL for home origin.
461-
* @type string $3 Secure URL for home origin.
462-
* }
471+
* @param string[] $allowed_origins Array of allowed HTTP origins.
463472
*/
464473
return apply_filters( 'allowed_http_origins', $allowed_origins );
465474
}
@@ -528,26 +537,28 @@ function send_origin_headers() {
528537
}
529538

530539
/**
531-
* Validates a URL for safe use in the HTTP API.
540+
* Validates a URL as safe for use in the HTTP API.
541+
*
542+
* The only supported protocols are `http` and `https`.
532543
*
533544
* Examples of URLs that are considered unsafe:
534545
*
535-
* - ftp://example.com/caniload.php - Invalid protocol - only http and https are allowed.
536-
* - http:///example.com/caniload.php - Malformed URL.
537-
* - http://user:[email protected]/caniload.php - Login information.
538-
* - http://example.invalid/caniload.php - Invalid hostname, as the IP cannot be looked up in DNS.
546+
* - `ftp://example.com/caniload.php` - Invalid protocol - only http and https are allowed.
547+
* - `http:///example.com/caniload.php` - Malformed URL.
548+
* - `http://user:[email protected]/caniload.php` - Login information.
549+
* - `http://example.invalid/caniload.php` - Invalid hostname, as the IP cannot be looked up in DNS.
539550
*
540-
* Examples of URLs that are considered unsafe by default:
551+
* Examples of URLs that are considered unsafe by default but can be allowed with filters:
541552
*
542-
* - http://192.168.0.1/caniload.php - IPs from LAN networks.
553+
* - `http://192.168.0.1/caniload.php` - IP address from LAN network.
543554
* This can be changed with the {@see 'http_request_host_is_external'} filter.
544-
* - http://198.143.164.252:81/caniload.php - By default, only 80, 443, and 8080 ports are allowed.
555+
* - `http://198.143.164.252:81/caniload.php` - By default, only ports 80, 443, and 8080 are allowed.
545556
* This can be changed with the {@see 'http_allowed_safe_ports'} filter.
546557
*
547558
* @since 3.5.2
548559
*
549560
* @param string $url Request URL.
550-
* @return string|false URL or false on failure.
561+
* @return string|false Returns false if the URL is not safe, or the original URL if it is safe.
551562
*/
552563
function wp_http_validate_url( $url ) {
553564
if ( ! is_string( $url ) || '' === $url || is_numeric( $url ) ) {
@@ -624,7 +635,8 @@ function wp_http_validate_url( $url ) {
624635
*
625636
* @since 5.9.0
626637
*
627-
* @param int[] $allowed_ports Array of integers for valid ports.
638+
* @param int[] $allowed_ports Array of integers for valid ports. Default allowed ports
639+
* are 80, 443, and 8080.
628640
* @param string $host Host name of the requested URL.
629641
* @param string $url Requested URL.
630642
*/

0 commit comments

Comments
 (0)