[wp-trac] [WordPress Trac] #60934: Internal Subnets are being blocked by wp_parse_url and why?

WordPress Trac noreply at wordpress.org
Fri Apr 5 04:50:23 UTC 2024 

#60934: Internal Subnets are being blocked by wp_parse_url and why?
--------------------------+-----------------------------
 Reporter:  erenfro       |      Owner:  (none)
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  HTTP API      |    Version:  trunk
 Severity:  blocker       |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 https://github.com/WordPress/wordpress-develop/blob/6.5/src/wp-
 includes/http.php#L566-L588

 This code block has plagued me for months trying to identify what the
 cause of WordPress, ActivityPub, Friends, and Mastodon plugins could/would
 not work with my Friendica or Mastodon instances, and it's been because of
 these lines of code literally blocking it from even trying.

 I think this is a bad way to handle this, and I'm wondering why this
 literally non-essential software-level "firewall"-like code was put in.
 Malicious code certainly would not even bother to use wp_parse_url at all,
 let alone utilise this function to engage in things. Everyone I'd spoken
 to either had no clue about this as well, just assuming WordPress had
 nothing like this there, which is clearly inaccurate given the code right
 there.

 Furthermore, there's literally no known documentation I could find about
 this, none within WordPress for sure. Through external resources I managed
 to find a way to get around this issue by creating a custom plugin that
 used a custom add_filter() to define a new instance, by each and every
 involved host by FQDN, to allow in this wp_http_validate_url function
 call.

 So, why does this code block exist to block internal IP subnets? If that's
 ever needed, one can literally do so at their firewalls where it should
 be, not bolted into their web application's code and blocking by default.
 And especially not documented or providing any clear cut means to add
 rules in a reasonable manner towards this at the VERY least.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/60934>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list