[wp-trac] [WordPress Trac] #54331: Add a hook in wp_http_validate_url to control which ports are allowed for remote requests

WordPress Trac noreply at wordpress.org
Wed Nov 3 05:51:15 UTC 2021 

#54331: Add a hook in wp_http_validate_url to control which ports are allowed for
remote requests
-------------------------------------------------+-------------------------
 Reporter:  xknown                               |       Owner:  (none)
     Type:  enhancement                          |      Status:  new
 Priority:  normal                               |   Milestone:  5.9
Component:  HTTP API                             |     Version:
 Severity:  normal                               |  Resolution:
 Keywords:  needs-unit-tests good-first-bug      |     Focuses:
  has-patch 2nd-opinion dev-feedback             |
-------------------------------------------------+-------------------------
Changes (by costdev):

 * keywords:  needs-unit-tests good-first-bug has-patch => needs-unit-tests
     good-first-bug has-patch 2nd-opinion dev-feedback


Comment:

 When allowing extenders to decide which ports should be allowed, a plugin
 or theme could do this:

 {{{
 add_filter( 'http_allowed_safe_ports', 'remove_all_safe' );

 function remove_all_safe( $ports ) {
         return array();
 }
 }}}

 If this isn't accounted for, valid urls containing a port may be deemed
 invalid and vice versa. This ''may'' also create a vulnerability in Core.
 [https://github.com/WordPress/wordpress-develop/pull/1790 PR 1790] doesn't
 yet account for this.

 If `array()` or ''any'' other invalid value is provided, I think that
 `wp_http_validate_url()` should have a fallback to the default `array( 80,
 443, 8080 )` and possibly throw a `_doing_it_wrong()` to ensure that the
 filter is used as expected.

 Unit tests should probably be postponed until we've decided on the
 intended behaviour.

 I have unit tests drafted that target ''all'' of `wp_http_validate_url()`
 including some minor refactoring. I'm holding off in case a new
 contributor wants to voice their interest in providing unit tests.

 If we haven't heard any expressions of interest by the time we come to a
 decision on the implementation, I can finalize and submit the unit tests
 for `wp_http_validate_url()` that will also cover this filter.

 Marking this as `2nd-opinion` and `dev-feedback` to get thoughts on the
 best implementation.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/54331#comment:6>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list