2008-08-01 07:00:07 +02:00
|
|
|
<?php
|
|
|
|
/**
|
2015-09-03 06:36:08 +02:00
|
|
|
* Core HTTP Request API
|
2008-08-01 20:44:40 +02:00
|
|
|
*
|
2015-08-26 05:55:21 +02:00
|
|
|
* Standardizes the HTTP requests for WordPress. Handles cookies, gzip encoding and decoding, chunk
|
|
|
|
* decoding, if HTTP 1.1 and various other difficult HTTP protocol implementations.
|
2008-08-01 07:00:07 +02:00
|
|
|
*
|
|
|
|
* @package WordPress
|
|
|
|
* @subpackage HTTP
|
2015-11-20 08:24:30 +01:00
|
|
|
*/
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Returns the initialized WP_Http Object
|
|
|
|
*
|
|
|
|
* @since 2.7.0
|
|
|
|
* @access private
|
|
|
|
*
|
|
|
|
* @return WP_Http HTTP Transport object.
|
|
|
|
*/
|
|
|
|
function _wp_http_get_object() {
|
|
|
|
static $http = null;
|
|
|
|
|
|
|
|
if ( is_null( $http ) ) {
|
|
|
|
$http = new WP_Http();
|
|
|
|
}
|
|
|
|
return $http;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2024-06-11 09:14:13 +02:00
|
|
|
* Retrieves the raw response from a safe HTTP request.
|
2015-11-20 08:24:30 +01:00
|
|
|
*
|
|
|
|
* This function is ideal when the HTTP request is being made to an arbitrary
|
2024-06-11 09:09:09 +02:00
|
|
|
* URL. The URL, and every URL it redirects to, are validated with wp_http_validate_url()
|
|
|
|
* to avoid Server Side Request Forgery attacks (SSRF).
|
2015-11-20 08:24:30 +01:00
|
|
|
*
|
|
|
|
* @since 3.6.0
|
|
|
|
*
|
|
|
|
* @see wp_remote_request() For more information on the response array format.
|
|
|
|
* @see WP_Http::request() For default arguments information.
|
2024-06-11 09:09:09 +02:00
|
|
|
* @see wp_http_validate_url() For more information about how the URL is validated.
|
2015-11-20 08:24:30 +01:00
|
|
|
*
|
2024-06-11 09:09:09 +02:00
|
|
|
* @link https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
|
2024-06-11 09:29:12 +02:00
|
|
|
*
|
2019-10-12 20:05:04 +02:00
|
|
|
* @param string $url URL to retrieve.
|
2015-11-20 08:24:30 +01:00
|
|
|
* @param array $args Optional. Request arguments. Default empty array.
|
2023-04-28 01:15:17 +02:00
|
|
|
* See WP_Http::request() for information on accepted arguments.
|
2019-11-11 03:43:03 +01:00
|
|
|
* @return array|WP_Error The response or WP_Error on failure.
|
2015-11-20 08:24:30 +01:00
|
|
|
*/
|
|
|
|
function wp_safe_remote_request( $url, $args = array() ) {
|
|
|
|
$args['reject_unsafe_urls'] = true;
|
2017-12-01 00:11:00 +01:00
|
|
|
$http = _wp_http_get_object();
|
2015-11-20 08:24:30 +01:00
|
|
|
return $http->request( $url, $args );
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2024-06-11 09:14:13 +02:00
|
|
|
* Retrieves the raw response from a safe HTTP request using the GET method.
|
2015-11-20 08:24:30 +01:00
|
|
|
*
|
|
|
|
* This function is ideal when the HTTP request is being made to an arbitrary
|
2024-06-11 09:09:09 +02:00
|
|
|
* URL. The URL, and every URL it redirects to, are validated with wp_http_validate_url()
|
|
|
|
* to avoid Server Side Request Forgery attacks (SSRF).
|
2015-11-20 08:24:30 +01:00
|
|
|
*
|
|
|
|
* @since 3.6.0
|
|
|
|
*
|
|
|
|
* @see wp_remote_request() For more information on the response array format.
|
|
|
|
* @see WP_Http::request() For default arguments information.
|
2024-06-11 09:09:09 +02:00
|
|
|
* @see wp_http_validate_url() For more information about how the URL is validated.
|
|
|
|
*
|
|
|
|
* @link https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
|
2015-11-20 08:24:30 +01:00
|
|
|
*
|
2019-10-12 20:05:04 +02:00
|
|
|
* @param string $url URL to retrieve.
|
2015-11-20 08:24:30 +01:00
|
|
|
* @param array $args Optional. Request arguments. Default empty array.
|
2023-04-28 01:15:17 +02:00
|
|
|
* See WP_Http::request() for information on accepted arguments.
|
2019-11-11 03:43:03 +01:00
|
|
|
* @return array|WP_Error The response or WP_Error on failure.
|
2015-11-20 08:24:30 +01:00
|
|
|
*/
|
|
|
|
function wp_safe_remote_get( $url, $args = array() ) {
|
|
|
|
$args['reject_unsafe_urls'] = true;
|
2017-12-01 00:11:00 +01:00
|
|
|
$http = _wp_http_get_object();
|
2015-11-20 08:24:30 +01:00
|
|
|
return $http->get( $url, $args );
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2024-06-11 09:14:13 +02:00
|
|
|
* Retrieves the raw response from a safe HTTP request using the POST method.
|
2015-11-20 08:24:30 +01:00
|
|
|
*
|
|
|
|
* This function is ideal when the HTTP request is being made to an arbitrary
|
2024-06-11 09:09:09 +02:00
|
|
|
* URL. The URL, and every URL it redirects to, are validated with wp_http_validate_url()
|
|
|
|
* to avoid Server Side Request Forgery attacks (SSRF).
|
2015-11-20 08:24:30 +01:00
|
|
|
*
|
|
|
|
* @since 3.6.0
|
|
|
|
*
|
|
|
|
* @see wp_remote_request() For more information on the response array format.
|
|
|
|
* @see WP_Http::request() For default arguments information.
|
2024-06-11 09:09:09 +02:00
|
|
|
* @see wp_http_validate_url() For more information about how the URL is validated.
|
|
|
|
*
|
|
|
|
* @link https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
|
2015-11-20 08:24:30 +01:00
|
|
|
*
|
2019-10-12 20:05:04 +02:00
|
|
|
* @param string $url URL to retrieve.
|
2015-11-20 08:24:30 +01:00
|
|
|
* @param array $args Optional. Request arguments. Default empty array.
|
2023-04-28 01:15:17 +02:00
|
|
|
* See WP_Http::request() for information on accepted arguments.
|
2019-11-11 03:43:03 +01:00
|
|
|
* @return array|WP_Error The response or WP_Error on failure.
|
2015-11-20 08:24:30 +01:00
|
|
|
*/
|
|
|
|
function wp_safe_remote_post( $url, $args = array() ) {
|
|
|
|
$args['reject_unsafe_urls'] = true;
|
2017-12-01 00:11:00 +01:00
|
|
|
$http = _wp_http_get_object();
|
2015-11-20 08:24:30 +01:00
|
|
|
return $http->post( $url, $args );
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2024-06-11 09:14:13 +02:00
|
|
|
* Retrieves the raw response from a safe HTTP request using the HEAD method.
|
2015-11-20 08:24:30 +01:00
|
|
|
*
|
|
|
|
* This function is ideal when the HTTP request is being made to an arbitrary
|
2024-06-11 09:09:09 +02:00
|
|
|
* URL. The URL, and every URL it redirects to, are validated with wp_http_validate_url()
|
|
|
|
* to avoid Server Side Request Forgery attacks (SSRF).
|
2015-11-20 08:24:30 +01:00
|
|
|
*
|
|
|
|
* @since 3.6.0
|
|
|
|
*
|
|
|
|
* @see wp_remote_request() For more information on the response array format.
|
|
|
|
* @see WP_Http::request() For default arguments information.
|
2024-06-11 09:09:09 +02:00
|
|
|
* @see wp_http_validate_url() For more information about how the URL is validated.
|
|
|
|
*
|
|
|
|
* @link https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
|
2015-11-20 08:24:30 +01:00
|
|
|
*
|
2019-10-12 20:05:04 +02:00
|
|
|
* @param string $url URL to retrieve.
|
|
|
|
* @param array $args Optional. Request arguments. Default empty array.
|
2023-04-28 01:15:17 +02:00
|
|
|
* See WP_Http::request() for information on accepted arguments.
|
2019-11-11 03:43:03 +01:00
|
|
|
* @return array|WP_Error The response or WP_Error on failure.
|
2015-11-20 08:24:30 +01:00
|
|
|
*/
|
|
|
|
function wp_safe_remote_head( $url, $args = array() ) {
|
|
|
|
$args['reject_unsafe_urls'] = true;
|
2017-12-01 00:11:00 +01:00
|
|
|
$http = _wp_http_get_object();
|
2015-11-20 08:24:30 +01:00
|
|
|
return $http->head( $url, $args );
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2019-10-12 20:05:04 +02:00
|
|
|
* Performs an HTTP request and returns its response.
|
2015-11-20 08:24:30 +01:00
|
|
|
*
|
2019-10-12 20:05:04 +02:00
|
|
|
* There are other API functions available which abstract away the HTTP method:
|
2015-11-20 08:24:30 +01:00
|
|
|
*
|
|
|
|
* - Default 'GET' for wp_remote_get()
|
|
|
|
* - Default 'POST' for wp_remote_post()
|
|
|
|
* - Default 'HEAD' for wp_remote_head()
|
|
|
|
*
|
|
|
|
* @since 2.7.0
|
|
|
|
*
|
2019-10-12 20:05:04 +02:00
|
|
|
* @see WP_Http::request() For information on default arguments.
|
2015-11-20 08:24:30 +01:00
|
|
|
*
|
2019-10-12 20:05:04 +02:00
|
|
|
* @param string $url URL to retrieve.
|
2015-11-20 08:24:30 +01:00
|
|
|
* @param array $args Optional. Request arguments. Default empty array.
|
2023-04-28 01:15:17 +02:00
|
|
|
* See WP_Http::request() for information on accepted arguments.
|
2019-11-11 03:43:03 +01:00
|
|
|
* @return array|WP_Error {
|
2019-10-12 20:05:04 +02:00
|
|
|
* The response array or a WP_Error on failure.
|
|
|
|
*
|
|
|
|
* @type string[] $headers Array of response headers keyed by their name.
|
|
|
|
* @type string $body Response body.
|
|
|
|
* @type array $response {
|
|
|
|
* Data about the HTTP response.
|
|
|
|
*
|
|
|
|
* @type int|false $code HTTP response code.
|
|
|
|
* @type string|false $message HTTP response message.
|
|
|
|
* }
|
|
|
|
* @type WP_HTTP_Cookie[] $cookies Array of response cookies.
|
|
|
|
* @type WP_HTTP_Requests_Response|null $http_response Raw HTTP response object.
|
|
|
|
* }
|
2015-11-20 08:24:30 +01:00
|
|
|
*/
|
2017-12-01 00:11:00 +01:00
|
|
|
function wp_remote_request( $url, $args = array() ) {
|
2015-11-20 08:24:30 +01:00
|
|
|
$http = _wp_http_get_object();
|
|
|
|
return $http->request( $url, $args );
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2019-10-07 21:08:06 +02:00
|
|
|
* Performs an HTTP request using the GET method and returns its response.
|
2015-11-20 08:24:30 +01:00
|
|
|
*
|
|
|
|
* @since 2.7.0
|
|
|
|
*
|
|
|
|
* @see wp_remote_request() For more information on the response array format.
|
|
|
|
* @see WP_Http::request() For default arguments information.
|
|
|
|
*
|
2019-10-12 20:05:04 +02:00
|
|
|
* @param string $url URL to retrieve.
|
2015-11-20 08:24:30 +01:00
|
|
|
* @param array $args Optional. Request arguments. Default empty array.
|
2023-04-28 01:15:17 +02:00
|
|
|
* See WP_Http::request() for information on accepted arguments.
|
2019-11-11 03:43:03 +01:00
|
|
|
* @return array|WP_Error The response or WP_Error on failure.
|
2015-11-20 08:24:30 +01:00
|
|
|
*/
|
2017-12-01 00:11:00 +01:00
|
|
|
function wp_remote_get( $url, $args = array() ) {
|
2015-11-20 08:24:30 +01:00
|
|
|
$http = _wp_http_get_object();
|
|
|
|
return $http->get( $url, $args );
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2019-10-07 21:08:06 +02:00
|
|
|
* Performs an HTTP request using the POST method and returns its response.
|
2015-11-20 08:24:30 +01:00
|
|
|
*
|
|
|
|
* @since 2.7.0
|
|
|
|
*
|
|
|
|
* @see wp_remote_request() For more information on the response array format.
|
|
|
|
* @see WP_Http::request() For default arguments information.
|
|
|
|
*
|
2019-10-12 20:05:04 +02:00
|
|
|
* @param string $url URL to retrieve.
|
2015-11-20 08:24:30 +01:00
|
|
|
* @param array $args Optional. Request arguments. Default empty array.
|
2023-04-28 01:15:17 +02:00
|
|
|
* See WP_Http::request() for information on accepted arguments.
|
2019-11-11 03:43:03 +01:00
|
|
|
* @return array|WP_Error The response or WP_Error on failure.
|
2015-11-20 08:24:30 +01:00
|
|
|
*/
|
2017-12-01 00:11:00 +01:00
|
|
|
function wp_remote_post( $url, $args = array() ) {
|
2015-11-20 08:24:30 +01:00
|
|
|
$http = _wp_http_get_object();
|
|
|
|
return $http->post( $url, $args );
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2019-10-07 21:08:06 +02:00
|
|
|
* Performs an HTTP request using the HEAD method and returns its response.
|
2015-11-20 08:24:30 +01:00
|
|
|
*
|
|
|
|
* @since 2.7.0
|
|
|
|
*
|
|
|
|
* @see wp_remote_request() For more information on the response array format.
|
|
|
|
* @see WP_Http::request() For default arguments information.
|
|
|
|
*
|
2019-10-12 20:05:04 +02:00
|
|
|
* @param string $url URL to retrieve.
|
2015-11-20 08:24:30 +01:00
|
|
|
* @param array $args Optional. Request arguments. Default empty array.
|
2023-04-28 01:15:17 +02:00
|
|
|
* See WP_Http::request() for information on accepted arguments.
|
2019-11-11 03:43:03 +01:00
|
|
|
* @return array|WP_Error The response or WP_Error on failure.
|
2015-11-20 08:24:30 +01:00
|
|
|
*/
|
2017-12-01 00:11:00 +01:00
|
|
|
function wp_remote_head( $url, $args = array() ) {
|
2015-11-20 08:24:30 +01:00
|
|
|
$http = _wp_http_get_object();
|
|
|
|
return $http->head( $url, $args );
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2024-06-11 09:14:13 +02:00
|
|
|
* Retrieves only the headers from the raw response.
|
2015-11-20 08:24:30 +01:00
|
|
|
*
|
2008-12-30 23:53:35 +01:00
|
|
|
* @since 2.7.0
|
External Libraries: Update Requests library to version 2.0.0.
This is a major release and contains breaking changes.
Most important changes to be aware of for this release:
* All code is now namespaced. Though there is a full backward compatibility layer available and the old class names are still supported, using them will generate a deprecation notice (which can be silenced by plugins if they'd need to support multiple WP versions). See the [https://requests.ryanmccue.info/docs/upgrading.html upgrade guide] for more details.
* A lot of classes have been marked `final`. This should generally not affect userland code as care has been taken to not apply the `final` keyword to classes which are known to be extended in userland code.
* Extensive input validation has been added to Requests. When Requests is used as documented though, this will be unnoticable.
* A new `WpOrg\Requests\Requests::has_capabilities()` method has been introduced which can be used to address #37708.
* A new `WpOrg\Requests\Response::decode_body()` method has been introduced which may be usable to simplify some of the WP native wrapper code.
* Remaining PHP 8.0 compatibility fixed (support for named parameters).
* PHP 8.1 compatibility.
Release notes: https://github.com/WordPress/Requests/releases/tag/v2.0.0
For a full list of changes in this update, see the Requests GitHub:
https://github.com/WordPress/Requests/compare/v1.8.1...v2.0.0
This commit also resolves 2 blocking issues which previously caused the revert of [52244]:
* New Requests files are loaded into `wp-includes/Requests/src/`, matching the location of the library. In doing so, filesystems that are case-insensitive are not impacted (see #54582).
* Preload: During a Core update, the old Requests files are preloaded into memory before the update deletes the files. Preloading avoids fatal errors noted in #54562.
Follow-up to [50842], [51078], [52244], [52315], [52327], [52328].
Props jrf, schlessera, datagutten, wojsmol, dustinrue, soulseekah, szepeviktor. costdev, sergeybiryukov, peterwilsoncc, ironprogrammer, antonvlasenko, hellofromTonya, swissspidy, dd32, azaozz, TobiasBg, audrasjb.
Fixes #54504.
See #54582, #54562.
Built from https://develop.svn.wordpress.org/trunk@54997
git-svn-id: http://core.svn.wordpress.org/trunk@54530 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-12-15 22:32:17 +01:00
|
|
|
* @since 4.6.0 Return value changed from an array to an WpOrg\Requests\Utility\CaseInsensitiveDictionary instance.
|
2016-10-05 05:51:28 +02:00
|
|
|
*
|
External Libraries: Update Requests library to version 2.0.0.
This is a major release and contains breaking changes.
Most important changes to be aware of for this release:
* All code is now namespaced. Though there is a full backward compatibility layer available and the old class names are still supported, using them will generate a deprecation notice (which can be silenced by plugins if they'd need to support multiple WP versions). See the [https://requests.ryanmccue.info/docs/upgrading.html upgrade guide] for more details.
* A lot of classes have been marked `final`. This should generally not affect userland code as care has been taken to not apply the `final` keyword to classes which are known to be extended in userland code.
* Extensive input validation has been added to Requests. When Requests is used as documented though, this will be unnoticable.
* A new `WpOrg\Requests\Requests::has_capabilities()` method has been introduced which can be used to address #37708.
* A new `WpOrg\Requests\Response::decode_body()` method has been introduced which may be usable to simplify some of the WP native wrapper code.
* Remaining PHP 8.0 compatibility fixed (support for named parameters).
* PHP 8.1 compatibility.
Release notes: https://github.com/WordPress/Requests/releases/tag/v2.0.0
For a full list of changes in this update, see the Requests GitHub:
https://github.com/WordPress/Requests/compare/v1.8.1...v2.0.0
This commit also resolves 2 blocking issues which previously caused the revert of [52244]:
* New Requests files are loaded into `wp-includes/Requests/src/`, matching the location of the library. In doing so, filesystems that are case-insensitive are not impacted (see #54582).
* Preload: During a Core update, the old Requests files are preloaded into memory before the update deletes the files. Preloading avoids fatal errors noted in #54562.
Follow-up to [50842], [51078], [52244], [52315], [52327], [52328].
Props jrf, schlessera, datagutten, wojsmol, dustinrue, soulseekah, szepeviktor. costdev, sergeybiryukov, peterwilsoncc, ironprogrammer, antonvlasenko, hellofromTonya, swissspidy, dd32, azaozz, TobiasBg, audrasjb.
Fixes #54504.
See #54582, #54562.
Built from https://develop.svn.wordpress.org/trunk@54997
git-svn-id: http://core.svn.wordpress.org/trunk@54530 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-12-15 22:32:17 +01:00
|
|
|
* @see \WpOrg\Requests\Utility\CaseInsensitiveDictionary
|
2015-11-20 08:24:30 +01:00
|
|
|
*
|
2019-10-12 20:05:04 +02:00
|
|
|
* @param array|WP_Error $response HTTP response.
|
External Libraries: Update Requests library to version 2.0.0.
This is a major release and contains breaking changes.
Most important changes to be aware of for this release:
* All code is now namespaced. Though there is a full backward compatibility layer available and the old class names are still supported, using them will generate a deprecation notice (which can be silenced by plugins if they'd need to support multiple WP versions). See the [https://requests.ryanmccue.info/docs/upgrading.html upgrade guide] for more details.
* A lot of classes have been marked `final`. This should generally not affect userland code as care has been taken to not apply the `final` keyword to classes which are known to be extended in userland code.
* Extensive input validation has been added to Requests. When Requests is used as documented though, this will be unnoticable.
* A new `WpOrg\Requests\Requests::has_capabilities()` method has been introduced which can be used to address #37708.
* A new `WpOrg\Requests\Response::decode_body()` method has been introduced which may be usable to simplify some of the WP native wrapper code.
* Remaining PHP 8.0 compatibility fixed (support for named parameters).
* PHP 8.1 compatibility.
Release notes: https://github.com/WordPress/Requests/releases/tag/v2.0.0
For a full list of changes in this update, see the Requests GitHub:
https://github.com/WordPress/Requests/compare/v1.8.1...v2.0.0
This commit also resolves 2 blocking issues which previously caused the revert of [52244]:
* New Requests files are loaded into `wp-includes/Requests/src/`, matching the location of the library. In doing so, filesystems that are case-insensitive are not impacted (see #54582).
* Preload: During a Core update, the old Requests files are preloaded into memory before the update deletes the files. Preloading avoids fatal errors noted in #54562.
Follow-up to [50842], [51078], [52244], [52315], [52327], [52328].
Props jrf, schlessera, datagutten, wojsmol, dustinrue, soulseekah, szepeviktor. costdev, sergeybiryukov, peterwilsoncc, ironprogrammer, antonvlasenko, hellofromTonya, swissspidy, dd32, azaozz, TobiasBg, audrasjb.
Fixes #54504.
See #54582, #54562.
Built from https://develop.svn.wordpress.org/trunk@54997
git-svn-id: http://core.svn.wordpress.org/trunk@54530 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-12-15 22:32:17 +01:00
|
|
|
* @return \WpOrg\Requests\Utility\CaseInsensitiveDictionary|array The headers of the response, or empty array
|
|
|
|
* if incorrect parameter given.
|
2008-08-01 07:00:07 +02:00
|
|
|
*/
|
2015-11-20 08:24:30 +01:00
|
|
|
function wp_remote_retrieve_headers( $response ) {
|
2016-05-13 06:42:28 +02:00
|
|
|
if ( is_wp_error( $response ) || ! isset( $response['headers'] ) ) {
|
2015-11-20 08:24:30 +01:00
|
|
|
return array();
|
2016-05-13 06:42:28 +02:00
|
|
|
}
|
2015-11-20 08:24:30 +01:00
|
|
|
|
|
|
|
return $response['headers'];
|
|
|
|
}
|
2008-08-01 07:00:07 +02:00
|
|
|
|
2015-11-20 08:24:30 +01:00
|
|
|
/**
|
2024-06-11 09:14:13 +02:00
|
|
|
* Retrieves a single header by name from the raw response.
|
2015-11-20 08:24:30 +01:00
|
|
|
*
|
|
|
|
* @since 2.7.0
|
|
|
|
*
|
2019-10-12 20:05:04 +02:00
|
|
|
* @param array|WP_Error $response HTTP response.
|
|
|
|
* @param string $header Header name to retrieve value from.
|
2022-01-04 19:54:00 +01:00
|
|
|
* @return array|string The header(s) value(s). Array if multiple headers with the same name are retrieved.
|
|
|
|
* Empty string if incorrect parameter given, or if the header doesn't exist.
|
2015-11-20 08:24:30 +01:00
|
|
|
*/
|
|
|
|
function wp_remote_retrieve_header( $response, $header ) {
|
2016-05-13 06:42:28 +02:00
|
|
|
if ( is_wp_error( $response ) || ! isset( $response['headers'] ) ) {
|
2015-11-20 08:24:30 +01:00
|
|
|
return '';
|
2016-05-13 06:42:28 +02:00
|
|
|
}
|
2015-09-03 06:36:30 +02:00
|
|
|
|
2016-05-13 06:42:28 +02:00
|
|
|
if ( isset( $response['headers'][ $header ] ) ) {
|
2017-12-01 00:11:00 +01:00
|
|
|
return $response['headers'][ $header ];
|
2016-05-13 06:42:28 +02:00
|
|
|
}
|
2015-09-03 06:36:30 +02:00
|
|
|
|
2015-11-20 08:24:30 +01:00
|
|
|
return '';
|
|
|
|
}
|
2015-09-03 06:36:30 +02:00
|
|
|
|
2015-11-20 08:24:30 +01:00
|
|
|
/**
|
2024-06-11 09:14:13 +02:00
|
|
|
* Retrieves only the response code from the raw response.
|
2015-11-20 08:24:30 +01:00
|
|
|
*
|
2022-01-13 02:04:01 +01:00
|
|
|
* Will return an empty string if incorrect parameter value is given.
|
2015-11-20 08:24:30 +01:00
|
|
|
*
|
|
|
|
* @since 2.7.0
|
|
|
|
*
|
2019-10-12 20:05:04 +02:00
|
|
|
* @param array|WP_Error $response HTTP response.
|
Docs: Correct `@return` value for `wp_get_http_headers()`.
Following the update to replace the HTTP API internals with Requests library in WordPress 4.6, the return value of `wp_remote_retrieve_headers()` has changed from a simple array to an object which implements `ArrayAccess`.
Since `wp_get_http_headers()` directly returns the result of `wp_remote_retrieve_headers()`, its return value should reflect that change.
Includes:
* Updating the return value for the deprecated `wp_get_http()` function, which also directly returns the result of `wp_remote_retrieve_headers()`.
* Minor DocBlock formatting changes for some other HTTP API functions per the documentation standards.
Follow-up to [2416], [6390], [8092], [9013], [37428], [37989], [38730].
Props mhkuu.
See #54225, #55646.
Built from https://develop.svn.wordpress.org/trunk@54157
git-svn-id: http://core.svn.wordpress.org/trunk@53716 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-09-14 15:08:14 +02:00
|
|
|
* @return int|string The response code as an integer. Empty string if incorrect parameter given.
|
2015-11-20 08:24:30 +01:00
|
|
|
*/
|
|
|
|
function wp_remote_retrieve_response_code( $response ) {
|
2017-12-01 00:11:00 +01:00
|
|
|
if ( is_wp_error( $response ) || ! isset( $response['response'] ) || ! is_array( $response['response'] ) ) {
|
2015-11-20 08:24:30 +01:00
|
|
|
return '';
|
2017-12-01 00:11:00 +01:00
|
|
|
}
|
2015-09-03 06:36:30 +02:00
|
|
|
|
2015-11-20 08:24:30 +01:00
|
|
|
return $response['response']['code'];
|
|
|
|
}
|
2015-09-03 06:36:30 +02:00
|
|
|
|
2015-11-20 08:24:30 +01:00
|
|
|
/**
|
2024-06-11 09:14:13 +02:00
|
|
|
* Retrieves only the response message from the raw response.
|
2015-11-20 08:24:30 +01:00
|
|
|
*
|
2022-01-13 02:04:01 +01:00
|
|
|
* Will return an empty string if incorrect parameter value is given.
|
2015-11-20 08:24:30 +01:00
|
|
|
*
|
|
|
|
* @since 2.7.0
|
|
|
|
*
|
2019-10-12 20:05:04 +02:00
|
|
|
* @param array|WP_Error $response HTTP response.
|
Docs: Correct `@return` value for `wp_get_http_headers()`.
Following the update to replace the HTTP API internals with Requests library in WordPress 4.6, the return value of `wp_remote_retrieve_headers()` has changed from a simple array to an object which implements `ArrayAccess`.
Since `wp_get_http_headers()` directly returns the result of `wp_remote_retrieve_headers()`, its return value should reflect that change.
Includes:
* Updating the return value for the deprecated `wp_get_http()` function, which also directly returns the result of `wp_remote_retrieve_headers()`.
* Minor DocBlock formatting changes for some other HTTP API functions per the documentation standards.
Follow-up to [2416], [6390], [8092], [9013], [37428], [37989], [38730].
Props mhkuu.
See #54225, #55646.
Built from https://develop.svn.wordpress.org/trunk@54157
git-svn-id: http://core.svn.wordpress.org/trunk@53716 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-09-14 15:08:14 +02:00
|
|
|
* @return string The response message. Empty string if incorrect parameter given.
|
2015-11-20 08:24:30 +01:00
|
|
|
*/
|
|
|
|
function wp_remote_retrieve_response_message( $response ) {
|
2017-12-01 00:11:00 +01:00
|
|
|
if ( is_wp_error( $response ) || ! isset( $response['response'] ) || ! is_array( $response['response'] ) ) {
|
2015-11-20 08:24:30 +01:00
|
|
|
return '';
|
2017-12-01 00:11:00 +01:00
|
|
|
}
|
2015-11-20 08:24:30 +01:00
|
|
|
|
|
|
|
return $response['response']['message'];
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2024-06-11 09:14:13 +02:00
|
|
|
* Retrieves only the body from the raw response.
|
2015-11-20 08:24:30 +01:00
|
|
|
*
|
|
|
|
* @since 2.7.0
|
|
|
|
*
|
2019-10-12 20:05:04 +02:00
|
|
|
* @param array|WP_Error $response HTTP response.
|
2015-11-20 08:24:30 +01:00
|
|
|
* @return string The body of the response. Empty string if no body or incorrect parameter given.
|
|
|
|
*/
|
|
|
|
function wp_remote_retrieve_body( $response ) {
|
2017-12-01 00:11:00 +01:00
|
|
|
if ( is_wp_error( $response ) || ! isset( $response['body'] ) ) {
|
2015-11-20 08:24:30 +01:00
|
|
|
return '';
|
2017-12-01 00:11:00 +01:00
|
|
|
}
|
2015-11-20 08:24:30 +01:00
|
|
|
|
|
|
|
return $response['body'];
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2024-06-11 09:14:13 +02:00
|
|
|
* Retrieves only the cookies from the raw response.
|
2015-11-20 08:24:30 +01:00
|
|
|
*
|
|
|
|
* @since 4.4.0
|
|
|
|
*
|
2019-10-12 20:05:04 +02:00
|
|
|
* @param array|WP_Error $response HTTP response.
|
Docs: Correct `@return` value for `wp_get_http_headers()`.
Following the update to replace the HTTP API internals with Requests library in WordPress 4.6, the return value of `wp_remote_retrieve_headers()` has changed from a simple array to an object which implements `ArrayAccess`.
Since `wp_get_http_headers()` directly returns the result of `wp_remote_retrieve_headers()`, its return value should reflect that change.
Includes:
* Updating the return value for the deprecated `wp_get_http()` function, which also directly returns the result of `wp_remote_retrieve_headers()`.
* Minor DocBlock formatting changes for some other HTTP API functions per the documentation standards.
Follow-up to [2416], [6390], [8092], [9013], [37428], [37989], [38730].
Props mhkuu.
See #54225, #55646.
Built from https://develop.svn.wordpress.org/trunk@54157
git-svn-id: http://core.svn.wordpress.org/trunk@53716 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-09-14 15:08:14 +02:00
|
|
|
* @return WP_Http_Cookie[] An array of `WP_Http_Cookie` objects from the response.
|
|
|
|
* Empty array if there are none, or the response is a WP_Error.
|
2015-11-20 08:24:30 +01:00
|
|
|
*/
|
|
|
|
function wp_remote_retrieve_cookies( $response ) {
|
|
|
|
if ( is_wp_error( $response ) || empty( $response['cookies'] ) ) {
|
|
|
|
return array();
|
|
|
|
}
|
|
|
|
|
|
|
|
return $response['cookies'];
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2024-06-11 09:14:13 +02:00
|
|
|
* Retrieves a single cookie by name from the raw response.
|
2015-11-20 08:24:30 +01:00
|
|
|
*
|
|
|
|
* @since 4.4.0
|
|
|
|
*
|
2019-10-12 20:05:04 +02:00
|
|
|
* @param array|WP_Error $response HTTP response.
|
|
|
|
* @param string $name The name of the cookie to retrieve.
|
Docs: Correct `@return` value for `wp_get_http_headers()`.
Following the update to replace the HTTP API internals with Requests library in WordPress 4.6, the return value of `wp_remote_retrieve_headers()` has changed from a simple array to an object which implements `ArrayAccess`.
Since `wp_get_http_headers()` directly returns the result of `wp_remote_retrieve_headers()`, its return value should reflect that change.
Includes:
* Updating the return value for the deprecated `wp_get_http()` function, which also directly returns the result of `wp_remote_retrieve_headers()`.
* Minor DocBlock formatting changes for some other HTTP API functions per the documentation standards.
Follow-up to [2416], [6390], [8092], [9013], [37428], [37989], [38730].
Props mhkuu.
See #54225, #55646.
Built from https://develop.svn.wordpress.org/trunk@54157
git-svn-id: http://core.svn.wordpress.org/trunk@53716 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-09-14 15:08:14 +02:00
|
|
|
* @return WP_Http_Cookie|string The `WP_Http_Cookie` object, or empty string
|
|
|
|
* if the cookie is not present in the response.
|
2015-11-20 08:24:30 +01:00
|
|
|
*/
|
|
|
|
function wp_remote_retrieve_cookie( $response, $name ) {
|
|
|
|
$cookies = wp_remote_retrieve_cookies( $response );
|
|
|
|
|
|
|
|
if ( empty( $cookies ) ) {
|
|
|
|
return '';
|
|
|
|
}
|
|
|
|
|
|
|
|
foreach ( $cookies as $cookie ) {
|
|
|
|
if ( $cookie->name === $name ) {
|
|
|
|
return $cookie;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return '';
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2024-06-11 09:14:13 +02:00
|
|
|
* Retrieves a single cookie's value by name from the raw response.
|
2015-11-20 08:24:30 +01:00
|
|
|
*
|
|
|
|
* @since 4.4.0
|
|
|
|
*
|
2019-10-12 20:05:04 +02:00
|
|
|
* @param array|WP_Error $response HTTP response.
|
|
|
|
* @param string $name The name of the cookie to retrieve.
|
Docs: Correct `@return` value for `wp_get_http_headers()`.
Following the update to replace the HTTP API internals with Requests library in WordPress 4.6, the return value of `wp_remote_retrieve_headers()` has changed from a simple array to an object which implements `ArrayAccess`.
Since `wp_get_http_headers()` directly returns the result of `wp_remote_retrieve_headers()`, its return value should reflect that change.
Includes:
* Updating the return value for the deprecated `wp_get_http()` function, which also directly returns the result of `wp_remote_retrieve_headers()`.
* Minor DocBlock formatting changes for some other HTTP API functions per the documentation standards.
Follow-up to [2416], [6390], [8092], [9013], [37428], [37989], [38730].
Props mhkuu.
See #54225, #55646.
Built from https://develop.svn.wordpress.org/trunk@54157
git-svn-id: http://core.svn.wordpress.org/trunk@53716 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-09-14 15:08:14 +02:00
|
|
|
* @return string The value of the cookie, or empty string
|
|
|
|
* if the cookie is not present in the response.
|
2015-11-20 08:24:30 +01:00
|
|
|
*/
|
|
|
|
function wp_remote_retrieve_cookie_value( $response, $name ) {
|
|
|
|
$cookie = wp_remote_retrieve_cookie( $response, $name );
|
|
|
|
|
Coding Standards: Use `instanceof` keyword instead of the `is_a()` function.
This is a micro-optimization that removes a few unnecessary function calls.
Follow-up to [31188], [34369], [38986], [41159], [43211], [43230], [44606], [45757].
Props ayeshrajans, jrf, rajinsharwar, costdev, mukesh27, SergeyBiryukov.
Fixes #58943.
Built from https://develop.svn.wordpress.org/trunk@56352
git-svn-id: http://core.svn.wordpress.org/trunk@55864 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2023-08-03 14:10:28 +02:00
|
|
|
if ( ! ( $cookie instanceof WP_Http_Cookie ) ) {
|
2015-11-20 08:24:30 +01:00
|
|
|
return '';
|
|
|
|
}
|
|
|
|
|
|
|
|
return $cookie->value;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Determines if there is an HTTP Transport that can process this request.
|
|
|
|
*
|
|
|
|
* @since 3.2.0
|
|
|
|
*
|
|
|
|
* @param array $capabilities Array of capabilities to test or a wp_remote_request() $args array.
|
|
|
|
* @param string $url Optional. If given, will check if the URL requires SSL and adds
|
|
|
|
* that requirement to the capabilities array.
|
|
|
|
*
|
|
|
|
* @return bool
|
|
|
|
*/
|
|
|
|
function wp_http_supports( $capabilities = array(), $url = null ) {
|
|
|
|
$http = _wp_http_get_object();
|
|
|
|
|
|
|
|
$capabilities = wp_parse_args( $capabilities );
|
|
|
|
|
|
|
|
$count = count( $capabilities );
|
|
|
|
|
2020-01-29 01:45:18 +01:00
|
|
|
// If we have a numeric $capabilities array, spoof a wp_remote_request() associative $args array.
|
2023-04-13 17:43:21 +02:00
|
|
|
if ( $count && count( array_filter( array_keys( $capabilities ), 'is_numeric' ) ) === $count ) {
|
2015-11-20 08:24:30 +01:00
|
|
|
$capabilities = array_combine( array_values( $capabilities ), array_fill( 0, $count, true ) );
|
|
|
|
}
|
|
|
|
|
2017-12-01 00:11:00 +01:00
|
|
|
if ( $url && ! isset( $capabilities['ssl'] ) ) {
|
2015-11-20 08:24:30 +01:00
|
|
|
$scheme = parse_url( $url, PHP_URL_SCHEME );
|
2020-05-16 20:42:12 +02:00
|
|
|
if ( 'https' === $scheme || 'ssl' === $scheme ) {
|
2015-11-20 08:24:30 +01:00
|
|
|
$capabilities['ssl'] = true;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return (bool) $http->_get_first_available_transport( $capabilities );
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2024-06-11 09:14:13 +02:00
|
|
|
* Gets the HTTP Origin of the current request.
|
2015-11-20 08:24:30 +01:00
|
|
|
*
|
|
|
|
* @since 3.4.0
|
|
|
|
*
|
|
|
|
* @return string URL of the origin. Empty string if no origin.
|
|
|
|
*/
|
|
|
|
function get_http_origin() {
|
|
|
|
$origin = '';
|
2017-12-01 00:11:00 +01:00
|
|
|
if ( ! empty( $_SERVER['HTTP_ORIGIN'] ) ) {
|
|
|
|
$origin = $_SERVER['HTTP_ORIGIN'];
|
|
|
|
}
|
2015-11-20 08:24:30 +01:00
|
|
|
|
|
|
|
/**
|
2024-06-11 09:14:13 +02:00
|
|
|
* Changes the origin of an HTTP request.
|
2015-11-20 08:24:30 +01:00
|
|
|
*
|
|
|
|
* @since 3.4.0
|
|
|
|
*
|
|
|
|
* @param string $origin The original origin for the request.
|
|
|
|
*/
|
|
|
|
return apply_filters( 'http_origin', $origin );
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2024-06-11 09:14:13 +02:00
|
|
|
* Retrieves list of allowed HTTP origins.
|
2015-11-20 08:24:30 +01:00
|
|
|
*
|
|
|
|
* @since 3.4.0
|
|
|
|
*
|
2019-10-07 21:08:06 +02:00
|
|
|
* @return string[] Array of origin URLs.
|
2015-11-20 08:24:30 +01:00
|
|
|
*/
|
|
|
|
function get_allowed_http_origins() {
|
|
|
|
$admin_origin = parse_url( admin_url() );
|
2017-12-01 00:11:00 +01:00
|
|
|
$home_origin = parse_url( home_url() );
|
2015-11-20 08:24:30 +01:00
|
|
|
|
2020-01-29 01:45:18 +01:00
|
|
|
// @todo Preserve port?
|
2017-12-01 00:11:00 +01:00
|
|
|
$allowed_origins = array_unique(
|
|
|
|
array(
|
|
|
|
'http://' . $admin_origin['host'],
|
|
|
|
'https://' . $admin_origin['host'],
|
|
|
|
'http://' . $home_origin['host'],
|
|
|
|
'https://' . $home_origin['host'],
|
|
|
|
)
|
|
|
|
);
|
2015-11-20 08:24:30 +01:00
|
|
|
|
|
|
|
/**
|
2024-06-11 09:14:13 +02:00
|
|
|
* Changes the origin types allowed for HTTP requests.
|
2015-11-20 08:24:30 +01:00
|
|
|
*
|
|
|
|
* @since 3.4.0
|
|
|
|
*
|
2019-10-07 21:08:06 +02:00
|
|
|
* @param string[] $allowed_origins {
|
|
|
|
* Array of default allowed HTTP origins.
|
|
|
|
*
|
|
|
|
* @type string $0 Non-secure URL for admin origin.
|
|
|
|
* @type string $1 Secure URL for admin origin.
|
|
|
|
* @type string $2 Non-secure URL for home origin.
|
|
|
|
* @type string $3 Secure URL for home origin.
|
2015-11-20 08:24:30 +01:00
|
|
|
* }
|
|
|
|
*/
|
2017-12-01 00:11:00 +01:00
|
|
|
return apply_filters( 'allowed_http_origins', $allowed_origins );
|
2015-11-20 08:24:30 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Determines if the HTTP origin is an authorized one.
|
|
|
|
*
|
|
|
|
* @since 3.4.0
|
|
|
|
*
|
Docs: List the expected type first in a few functions:
* `is_allowed_http_origin()`
* `doing_filter()`
* `wp_get_post_revisions_url()`
Follow-up to [28010], [28889], [30674], [46696], [47060], [48068], [49929], [49963], [52095], [51286], [52111].
See #55646.
Built from https://develop.svn.wordpress.org/trunk@53770
git-svn-id: http://core.svn.wordpress.org/trunk@53329 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-07-23 18:57:09 +02:00
|
|
|
* @param string|null $origin Origin URL. If not provided, the value of get_http_origin() is used.
|
2016-01-26 01:39:26 +01:00
|
|
|
* @return string Origin URL if allowed, empty string if not.
|
2015-11-20 08:24:30 +01:00
|
|
|
*/
|
|
|
|
function is_allowed_http_origin( $origin = null ) {
|
|
|
|
$origin_arg = $origin;
|
|
|
|
|
2017-12-01 00:11:00 +01:00
|
|
|
if ( null === $origin ) {
|
2015-11-20 08:24:30 +01:00
|
|
|
$origin = get_http_origin();
|
2017-12-01 00:11:00 +01:00
|
|
|
}
|
2015-11-20 08:24:30 +01:00
|
|
|
|
2020-04-05 05:02:11 +02:00
|
|
|
if ( $origin && ! in_array( $origin, get_allowed_http_origins(), true ) ) {
|
2015-11-20 08:24:30 +01:00
|
|
|
$origin = '';
|
2017-12-01 00:11:00 +01:00
|
|
|
}
|
2015-11-20 08:24:30 +01:00
|
|
|
|
|
|
|
/**
|
2024-06-11 09:14:13 +02:00
|
|
|
* Changes the allowed HTTP origin result.
|
2015-11-20 08:24:30 +01:00
|
|
|
*
|
|
|
|
* @since 3.4.0
|
|
|
|
*
|
2016-01-26 01:39:26 +01:00
|
|
|
* @param string $origin Origin URL if allowed, empty string if not.
|
2015-11-20 08:24:30 +01:00
|
|
|
* @param string $origin_arg Original origin string passed into is_allowed_http_origin function.
|
|
|
|
*/
|
|
|
|
return apply_filters( 'allowed_http_origin', $origin, $origin_arg );
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2024-06-11 09:14:13 +02:00
|
|
|
* Sends Access-Control-Allow-Origin and related headers if the current request
|
2015-11-20 08:24:30 +01:00
|
|
|
* is from an allowed origin.
|
|
|
|
*
|
|
|
|
* If the request is an OPTIONS request, the script exits with either access
|
|
|
|
* control headers sent, or a 403 response if the origin is not allowed. For
|
|
|
|
* other request methods, you will receive a return value.
|
|
|
|
*
|
|
|
|
* @since 3.4.0
|
|
|
|
*
|
|
|
|
* @return string|false Returns the origin URL if headers are sent. Returns false
|
|
|
|
* if headers are not sent.
|
|
|
|
*/
|
|
|
|
function send_origin_headers() {
|
|
|
|
$origin = get_http_origin();
|
|
|
|
|
|
|
|
if ( is_allowed_http_origin( $origin ) ) {
|
2019-07-09 07:45:58 +02:00
|
|
|
header( 'Access-Control-Allow-Origin: ' . $origin );
|
|
|
|
header( 'Access-Control-Allow-Credentials: true' );
|
2017-12-01 00:11:00 +01:00
|
|
|
if ( 'OPTIONS' === $_SERVER['REQUEST_METHOD'] ) {
|
2015-11-20 08:24:30 +01:00
|
|
|
exit;
|
2017-12-01 00:11:00 +01:00
|
|
|
}
|
2015-11-20 08:24:30 +01:00
|
|
|
return $origin;
|
|
|
|
}
|
|
|
|
|
|
|
|
if ( 'OPTIONS' === $_SERVER['REQUEST_METHOD'] ) {
|
|
|
|
status_header( 403 );
|
|
|
|
exit;
|
|
|
|
}
|
|
|
|
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2024-06-11 09:14:13 +02:00
|
|
|
* Validates a URL for safe use in the HTTP API.
|
2015-11-20 08:24:30 +01:00
|
|
|
*
|
2024-06-11 09:09:09 +02:00
|
|
|
* Examples of URLs that are considered unsafe:
|
|
|
|
*
|
2024-06-11 14:06:16 +02:00
|
|
|
* - ftp://example.com/caniload.php - Invalid protocol - only http and https are allowed.
|
|
|
|
* - http:///example.com/caniload.php - Malformed URL.
|
|
|
|
* - http://user:pass@example.com/caniload.php - Login information.
|
Tests: Use better domain for HTTP API invalid hostname test.
The previous domain that was used to test for a host whose IPv4 address cannot be resolved, `exampleeeee.com`, got registered and has an A-record now, so it's not invalid anymore.
`.invalid` is intended for use in online construction of domain names that are sure to be invalid and which it is obvious at a glance are invalid.
Reference: [https://datatracker.ietf.org/doc/html/rfc2606#section-2 Reserved Top Level DNS Names: TLDs for Testing, & Documentation Examples].
Follow-up to [52084], [58384], [58388].
Reviewed by peterwilsoncc.
Merges [59293] to the 6.6 branch.
Props sippis, johnbillion, MattyRob, swissspidy, SergeyBiryukov.
Fixes #62303.
Built from https://develop.svn.wordpress.org/branches/6.6@59298
git-svn-id: http://core.svn.wordpress.org/branches/6.6@58690 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2024-10-27 23:34:16 +01:00
|
|
|
* - http://example.invalid/caniload.php - Invalid hostname, as the IP cannot be looked up in DNS.
|
2024-06-11 09:09:09 +02:00
|
|
|
*
|
2024-06-11 14:06:16 +02:00
|
|
|
* Examples of URLs that are considered unsafe by default:
|
2024-06-11 09:09:09 +02:00
|
|
|
*
|
2024-06-11 14:06:16 +02:00
|
|
|
* - http://192.168.0.1/caniload.php - IPs from LAN networks.
|
|
|
|
* This can be changed with the {@see 'http_request_host_is_external'} filter.
|
|
|
|
* - http://198.143.164.252:81/caniload.php - By default, only 80, 443, and 8080 ports are allowed.
|
|
|
|
* This can be changed with the {@see 'http_allowed_safe_ports'} filter.
|
2024-06-11 09:09:09 +02:00
|
|
|
*
|
2015-11-20 08:24:30 +01:00
|
|
|
* @since 3.5.2
|
|
|
|
*
|
2019-10-07 21:08:06 +02:00
|
|
|
* @param string $url Request URL.
|
2020-01-11 19:32:05 +01:00
|
|
|
* @return string|false URL or false on failure.
|
2015-11-20 08:24:30 +01:00
|
|
|
*/
|
|
|
|
function wp_http_validate_url( $url ) {
|
2021-11-09 23:39:00 +01:00
|
|
|
if ( ! is_string( $url ) || '' === $url || is_numeric( $url ) ) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2015-11-20 08:24:30 +01:00
|
|
|
$original_url = $url;
|
2017-12-01 00:11:00 +01:00
|
|
|
$url = wp_kses_bad_protocol( $url, array( 'http', 'https' ) );
|
|
|
|
if ( ! $url || strtolower( $url ) !== strtolower( $original_url ) ) {
|
2015-11-20 08:24:30 +01:00
|
|
|
return false;
|
2017-12-01 00:11:00 +01:00
|
|
|
}
|
2015-11-20 08:24:30 +01:00
|
|
|
|
2020-04-24 09:28:10 +02:00
|
|
|
$parsed_url = parse_url( $url );
|
2017-12-01 00:11:00 +01:00
|
|
|
if ( ! $parsed_url || empty( $parsed_url['host'] ) ) {
|
2015-11-20 08:24:30 +01:00
|
|
|
return false;
|
2017-12-01 00:11:00 +01:00
|
|
|
}
|
2015-11-20 08:24:30 +01:00
|
|
|
|
2017-12-01 00:11:00 +01:00
|
|
|
if ( isset( $parsed_url['user'] ) || isset( $parsed_url['pass'] ) ) {
|
2015-11-20 08:24:30 +01:00
|
|
|
return false;
|
2017-12-01 00:11:00 +01:00
|
|
|
}
|
2015-11-20 08:24:30 +01:00
|
|
|
|
2017-12-01 00:11:00 +01:00
|
|
|
if ( false !== strpbrk( $parsed_url['host'], ':#?[]' ) ) {
|
2015-11-20 08:24:30 +01:00
|
|
|
return false;
|
2017-12-01 00:11:00 +01:00
|
|
|
}
|
2015-11-20 08:24:30 +01:00
|
|
|
|
2020-04-24 09:28:10 +02:00
|
|
|
$parsed_home = parse_url( get_option( 'home' ) );
|
2021-11-09 23:39:00 +01:00
|
|
|
$same_host = isset( $parsed_home['host'] ) && strtolower( $parsed_home['host'] ) === strtolower( $parsed_url['host'] );
|
|
|
|
$host = trim( $parsed_url['host'], '.' );
|
2015-11-20 08:24:30 +01:00
|
|
|
|
|
|
|
if ( ! $same_host ) {
|
2016-03-30 17:38:26 +02:00
|
|
|
if ( preg_match( '#^(([1-9]?\d|1\d\d|25[0-5]|2[0-4]\d)\.){3}([1-9]?\d|1\d\d|25[0-5]|2[0-4]\d)$#', $host ) ) {
|
2015-11-20 08:24:30 +01:00
|
|
|
$ip = $host;
|
|
|
|
} else {
|
|
|
|
$ip = gethostbyname( $host );
|
2020-01-29 01:45:18 +01:00
|
|
|
if ( $ip === $host ) { // Error condition for gethostbyname().
|
2019-10-14 17:27:04 +02:00
|
|
|
return false;
|
2017-12-01 00:11:00 +01:00
|
|
|
}
|
2015-11-20 08:24:30 +01:00
|
|
|
}
|
|
|
|
if ( $ip ) {
|
|
|
|
$parts = array_map( 'intval', explode( '.', $ip ) );
|
2016-02-02 13:55:29 +01:00
|
|
|
if ( 127 === $parts[0] || 10 === $parts[0] || 0 === $parts[0]
|
2015-11-20 08:24:30 +01:00
|
|
|
|| ( 172 === $parts[0] && 16 <= $parts[1] && 31 >= $parts[1] )
|
|
|
|
|| ( 192 === $parts[0] && 168 === $parts[1] )
|
|
|
|
) {
|
|
|
|
// If host appears local, reject unless specifically allowed.
|
|
|
|
/**
|
2024-06-11 09:14:13 +02:00
|
|
|
* Checks if HTTP request is external or not.
|
2015-11-20 08:24:30 +01:00
|
|
|
*
|
|
|
|
* Allows to change and allow external requests for the HTTP request.
|
|
|
|
*
|
|
|
|
* @since 3.6.0
|
|
|
|
*
|
2019-10-07 21:08:06 +02:00
|
|
|
* @param bool $external Whether HTTP request is external or not.
|
|
|
|
* @param string $host Host name of the requested URL.
|
|
|
|
* @param string $url Requested URL.
|
2015-11-20 08:24:30 +01:00
|
|
|
*/
|
2017-12-01 00:11:00 +01:00
|
|
|
if ( ! apply_filters( 'http_request_host_is_external', false, $host, $url ) ) {
|
2015-11-20 08:24:30 +01:00
|
|
|
return false;
|
2017-12-01 00:11:00 +01:00
|
|
|
}
|
2015-11-20 08:24:30 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-12-01 00:11:00 +01:00
|
|
|
if ( empty( $parsed_url['port'] ) ) {
|
2015-11-20 08:24:30 +01:00
|
|
|
return $url;
|
2017-12-01 00:11:00 +01:00
|
|
|
}
|
2015-11-20 08:24:30 +01:00
|
|
|
|
|
|
|
$port = $parsed_url['port'];
|
2021-11-09 23:39:00 +01:00
|
|
|
|
|
|
|
/**
|
|
|
|
* Controls the list of ports considered safe in HTTP API.
|
|
|
|
*
|
|
|
|
* Allows to change and allow external requests for the HTTP request.
|
|
|
|
*
|
|
|
|
* @since 5.9.0
|
|
|
|
*
|
2023-04-28 00:29:18 +02:00
|
|
|
* @param int[] $allowed_ports Array of integers for valid ports.
|
2021-11-09 23:39:00 +01:00
|
|
|
* @param string $host Host name of the requested URL.
|
|
|
|
* @param string $url Requested URL.
|
|
|
|
*/
|
|
|
|
$allowed_ports = apply_filters( 'http_allowed_safe_ports', array( 80, 443, 8080 ), $host, $url );
|
2021-11-09 23:59:58 +01:00
|
|
|
if ( is_array( $allowed_ports ) && in_array( $port, $allowed_ports, true ) ) {
|
2015-11-20 08:24:30 +01:00
|
|
|
return $url;
|
2017-12-01 00:11:00 +01:00
|
|
|
}
|
2015-11-20 08:24:30 +01:00
|
|
|
|
2017-12-01 00:11:00 +01:00
|
|
|
if ( $parsed_home && $same_host && isset( $parsed_home['port'] ) && $parsed_home['port'] === $port ) {
|
2015-11-20 08:24:30 +01:00
|
|
|
return $url;
|
2017-12-01 00:11:00 +01:00
|
|
|
}
|
2015-11-20 08:24:30 +01:00
|
|
|
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2024-06-11 09:14:13 +02:00
|
|
|
* Marks allowed redirect hosts safe for HTTP requests as well.
|
2015-11-20 08:24:30 +01:00
|
|
|
*
|
2016-05-23 21:01:27 +02:00
|
|
|
* Attached to the {@see 'http_request_host_is_external'} filter.
|
2015-11-20 08:24:30 +01:00
|
|
|
*
|
|
|
|
* @since 3.6.0
|
|
|
|
*
|
|
|
|
* @param bool $is_external
|
|
|
|
* @param string $host
|
|
|
|
* @return bool
|
|
|
|
*/
|
|
|
|
function allowed_http_request_hosts( $is_external, $host ) {
|
2017-12-01 00:11:00 +01:00
|
|
|
if ( ! $is_external && wp_validate_redirect( 'http://' . $host ) ) {
|
2015-11-20 08:24:30 +01:00
|
|
|
$is_external = true;
|
2017-12-01 00:11:00 +01:00
|
|
|
}
|
2015-11-20 08:24:30 +01:00
|
|
|
return $is_external;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
General: Remove “whitelist” and “blacklist” in favor of more clear and inclusive language.
“The WordPress open source community cares about diversity. We strive to maintain a welcoming environment where everyone can feel included.”
With this commit, all occurrences of “whitelist” and “blacklist” (with the single exception of the `$new_whitelist_options` global variable) are removed. A new ticket has been opened to explore renaming the `$new_whitelist_options` variable (#50434).
Changing to more specific names or rewording sentences containing these terms not only makes the code more inclusive, but also helps provide clarity. These terms are often ambiguous. What is being blocked or allowed is not always immediately clear. This can make it more difficult for non-native English speakers to read through the codebase.
Words matter. If one contributor feels more welcome because these terms are removed, this was worth the effort.
Props strangerstudios, jorbin, desrosj, joemcgill, timothyblynjacobs, ocean90, ayeshrajans, davidbaumwald, earnjam.
See #48900, #50434.
Fixes #50413.
Built from https://develop.svn.wordpress.org/trunk@48121
git-svn-id: http://core.svn.wordpress.org/trunk@47890 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-22 19:26:13 +02:00
|
|
|
* Adds any domain in a multisite installation for safe HTTP requests to the
|
|
|
|
* allowed list.
|
2015-11-20 08:24:30 +01:00
|
|
|
*
|
2016-05-23 21:01:27 +02:00
|
|
|
* Attached to the {@see 'http_request_host_is_external'} filter.
|
2015-11-20 08:24:30 +01:00
|
|
|
*
|
|
|
|
* @since 3.6.0
|
|
|
|
*
|
|
|
|
* @global wpdb $wpdb WordPress database abstraction object.
|
|
|
|
*
|
|
|
|
* @param bool $is_external
|
|
|
|
* @param string $host
|
|
|
|
* @return bool
|
|
|
|
*/
|
|
|
|
function ms_allowed_http_request_hosts( $is_external, $host ) {
|
|
|
|
global $wpdb;
|
|
|
|
static $queried = array();
|
2017-12-01 00:11:00 +01:00
|
|
|
if ( $is_external ) {
|
2015-11-20 08:24:30 +01:00
|
|
|
return $is_external;
|
2017-12-01 00:11:00 +01:00
|
|
|
}
|
2020-02-09 17:55:09 +01:00
|
|
|
if ( get_network()->domain === $host ) {
|
2015-11-20 08:24:30 +01:00
|
|
|
return true;
|
2017-12-01 00:11:00 +01:00
|
|
|
}
|
|
|
|
if ( isset( $queried[ $host ] ) ) {
|
2015-11-20 08:24:30 +01:00
|
|
|
return $queried[ $host ];
|
2017-12-01 00:11:00 +01:00
|
|
|
}
|
2015-11-20 08:24:30 +01:00
|
|
|
$queried[ $host ] = (bool) $wpdb->get_var( $wpdb->prepare( "SELECT domain FROM $wpdb->blogs WHERE domain = %s LIMIT 1", $host ) );
|
|
|
|
return $queried[ $host ];
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2022-03-10 17:02:01 +01:00
|
|
|
* A wrapper for PHP's parse_url() function that handles consistency in the return values
|
|
|
|
* across PHP versions.
|
2015-11-20 08:24:30 +01:00
|
|
|
*
|
2022-03-10 17:02:01 +01:00
|
|
|
* PHP 5.4.7 expanded parse_url()'s ability to handle non-absolute URLs, including
|
|
|
|
* schemeless and relative URLs with "://" in the path. This function works around
|
2016-10-04 22:33:29 +02:00
|
|
|
* those limitations providing a standard output on PHP 5.2~5.4+.
|
|
|
|
*
|
2022-03-10 17:02:01 +01:00
|
|
|
* Secondly, across various PHP versions, schemeless URLs containing a ":" in the query
|
|
|
|
* are being handled inconsistently. This function works around those differences as well.
|
2015-11-20 08:24:30 +01:00
|
|
|
*
|
|
|
|
* @since 4.4.0
|
2018-02-09 17:55:31 +01:00
|
|
|
* @since 4.7.0 The `$component` parameter was added for parity with PHP's `parse_url()`.
|
2016-09-30 23:47:28 +02:00
|
|
|
*
|
2020-01-20 04:14:06 +01:00
|
|
|
* @link https://www.php.net/manual/en/function.parse-url.php
|
2017-06-26 00:06:41 +02:00
|
|
|
*
|
2016-09-30 23:47:28 +02:00
|
|
|
* @param string $url The URL to parse.
|
|
|
|
* @param int $component The specific component to retrieve. Use one of the PHP
|
|
|
|
* predefined constants to specify which one.
|
|
|
|
* Defaults to -1 (= return all parts as an array).
|
2016-10-04 22:33:29 +02:00
|
|
|
* @return mixed False on parse failure; Array of URL components on success;
|
|
|
|
* When a specific component has been requested: null if the component
|
2017-03-17 20:02:40 +01:00
|
|
|
* doesn't exist in the given URL; a string or - in the case of
|
2016-10-04 22:33:29 +02:00
|
|
|
* PHP_URL_PORT - integer when it does. See parse_url()'s return values.
|
2015-11-20 08:24:30 +01:00
|
|
|
*/
|
2016-09-30 23:47:28 +02:00
|
|
|
function wp_parse_url( $url, $component = -1 ) {
|
2016-10-04 22:33:29 +02:00
|
|
|
$to_unset = array();
|
2020-10-08 23:15:13 +02:00
|
|
|
$url = (string) $url;
|
2016-10-04 22:33:29 +02:00
|
|
|
|
Code Modernization: Replace usage of `substr()` with `str_starts_with()` and `str_ends_with()`.
`str_starts_with()` and `str_ends_with()` were introduced in PHP 8.0 to perform a case-sensitive check indicating if the string to search in (haystack) begins or ends with the given substring (needle).
WordPress core includes a polyfill for these functions on PHP < 8.0 as of WordPress 5.9.
This commit uses `str_starts_with()` and `str_ends_with()` in core files where appropriate:
* `$needle === substr( $string, 0, $length )`, where `$length` is the length of `$needle`, is replaced with `str_starts_with( $haystack, $needle )`.
* `$needle === substr( $string, $offset )`, where `$offset` is negative and the absolute value of `$offset` is the length of `$needle`, is replaced with `str_ends_with( $haystack, $needle )`.
This aims to make the code more readable and consistent, as well as better aligned with modern development practices.
Follow-up to [52039], [52040], [52326], [55703], [55710], [55987], [55988].
Props Soean, spacedmonkey, Clorith, ocean90, azaozz, sabernhardt, SergeyBiryukov.
Fixes #58220.
Built from https://develop.svn.wordpress.org/trunk@55990
git-svn-id: http://core.svn.wordpress.org/trunk@55502 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2023-06-22 16:57:24 +02:00
|
|
|
if ( str_starts_with( $url, '//' ) ) {
|
2016-10-04 22:33:29 +02:00
|
|
|
$to_unset[] = 'scheme';
|
2017-12-01 00:11:00 +01:00
|
|
|
$url = 'placeholder:' . $url;
|
Code Modernization: Replace usage of `substr()` with `str_starts_with()` and `str_ends_with()`.
`str_starts_with()` and `str_ends_with()` were introduced in PHP 8.0 to perform a case-sensitive check indicating if the string to search in (haystack) begins or ends with the given substring (needle).
WordPress core includes a polyfill for these functions on PHP < 8.0 as of WordPress 5.9.
This commit uses `str_starts_with()` and `str_ends_with()` in core files where appropriate:
* `$needle === substr( $string, 0, $length )`, where `$length` is the length of `$needle`, is replaced with `str_starts_with( $haystack, $needle )`.
* `$needle === substr( $string, $offset )`, where `$offset` is negative and the absolute value of `$offset` is the length of `$needle`, is replaced with `str_ends_with( $haystack, $needle )`.
This aims to make the code more readable and consistent, as well as better aligned with modern development practices.
Follow-up to [52039], [52040], [52326], [55703], [55710], [55987], [55988].
Props Soean, spacedmonkey, Clorith, ocean90, azaozz, sabernhardt, SergeyBiryukov.
Fixes #58220.
Built from https://develop.svn.wordpress.org/trunk@55990
git-svn-id: http://core.svn.wordpress.org/trunk@55502 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2023-06-22 16:57:24 +02:00
|
|
|
} elseif ( str_starts_with( $url, '/' ) ) {
|
2016-10-04 22:33:29 +02:00
|
|
|
$to_unset[] = 'scheme';
|
|
|
|
$to_unset[] = 'host';
|
2017-12-01 00:11:00 +01:00
|
|
|
$url = 'placeholder://placeholder' . $url;
|
2016-10-04 22:33:29 +02:00
|
|
|
}
|
|
|
|
|
2020-04-24 09:28:10 +02:00
|
|
|
$parts = parse_url( $url );
|
2016-09-30 23:47:28 +02:00
|
|
|
|
2016-10-04 22:33:29 +02:00
|
|
|
if ( false === $parts ) {
|
|
|
|
// Parsing failure.
|
2016-09-30 23:47:28 +02:00
|
|
|
return $parts;
|
|
|
|
}
|
|
|
|
|
2016-10-04 22:33:29 +02:00
|
|
|
// Remove the placeholder values.
|
|
|
|
foreach ( $to_unset as $key ) {
|
|
|
|
unset( $parts[ $key ] );
|
2015-11-20 08:24:30 +01:00
|
|
|
}
|
2015-09-03 06:36:30 +02:00
|
|
|
|
2016-10-04 22:33:29 +02:00
|
|
|
return _get_component_from_parsed_url_array( $parts, $component );
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2024-06-11 09:14:13 +02:00
|
|
|
* Retrieves a specific component from a parsed URL array.
|
2016-10-04 22:33:29 +02:00
|
|
|
*
|
|
|
|
* @internal
|
|
|
|
*
|
|
|
|
* @since 4.7.0
|
2017-09-23 00:00:47 +02:00
|
|
|
* @access private
|
2016-10-04 22:33:29 +02:00
|
|
|
*
|
2020-01-20 04:14:06 +01:00
|
|
|
* @link https://www.php.net/manual/en/function.parse-url.php
|
2017-06-26 00:06:41 +02:00
|
|
|
*
|
2016-10-04 22:33:29 +02:00
|
|
|
* @param array|false $url_parts The parsed URL. Can be false if the URL failed to parse.
|
2019-10-07 21:08:06 +02:00
|
|
|
* @param int $component The specific component to retrieve. Use one of the PHP
|
|
|
|
* predefined constants to specify which one.
|
|
|
|
* Defaults to -1 (= return all parts as an array).
|
2016-10-04 22:33:29 +02:00
|
|
|
* @return mixed False on parse failure; Array of URL components on success;
|
|
|
|
* When a specific component has been requested: null if the component
|
2017-03-17 20:02:40 +01:00
|
|
|
* doesn't exist in the given URL; a string or - in the case of
|
2016-10-04 22:33:29 +02:00
|
|
|
* PHP_URL_PORT - integer when it does. See parse_url()'s return values.
|
|
|
|
*/
|
|
|
|
function _get_component_from_parsed_url_array( $url_parts, $component = -1 ) {
|
|
|
|
if ( -1 === $component ) {
|
|
|
|
return $url_parts;
|
2015-11-20 08:24:30 +01:00
|
|
|
}
|
2015-10-08 21:29:25 +02:00
|
|
|
|
2016-10-04 22:33:29 +02:00
|
|
|
$key = _wp_translate_php_url_constant_to_key( $component );
|
|
|
|
if ( false !== $key && is_array( $url_parts ) && isset( $url_parts[ $key ] ) ) {
|
|
|
|
return $url_parts[ $key ];
|
|
|
|
} else {
|
|
|
|
return null;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2024-06-11 09:14:13 +02:00
|
|
|
* Translates a PHP_URL_* constant to the named array keys PHP uses.
|
2016-10-04 22:33:29 +02:00
|
|
|
*
|
|
|
|
* @internal
|
|
|
|
*
|
|
|
|
* @since 4.7.0
|
2017-09-23 00:00:47 +02:00
|
|
|
* @access private
|
2016-10-04 22:33:29 +02:00
|
|
|
*
|
2020-01-20 04:14:06 +01:00
|
|
|
* @link https://www.php.net/manual/en/url.constants.php
|
2016-10-04 22:33:29 +02:00
|
|
|
*
|
|
|
|
* @param int $constant PHP_URL_* constant.
|
2019-10-07 21:08:06 +02:00
|
|
|
* @return string|false The named key or false.
|
2016-10-04 22:33:29 +02:00
|
|
|
*/
|
|
|
|
function _wp_translate_php_url_constant_to_key( $constant ) {
|
|
|
|
$translation = array(
|
|
|
|
PHP_URL_SCHEME => 'scheme',
|
|
|
|
PHP_URL_HOST => 'host',
|
|
|
|
PHP_URL_PORT => 'port',
|
|
|
|
PHP_URL_USER => 'user',
|
|
|
|
PHP_URL_PASS => 'pass',
|
|
|
|
PHP_URL_PATH => 'path',
|
|
|
|
PHP_URL_QUERY => 'query',
|
|
|
|
PHP_URL_FRAGMENT => 'fragment',
|
|
|
|
);
|
|
|
|
|
|
|
|
if ( isset( $translation[ $constant ] ) ) {
|
|
|
|
return $translation[ $constant ];
|
|
|
|
} else {
|
|
|
|
return false;
|
|
|
|
}
|
2015-11-20 08:24:30 +01:00
|
|
|
}
|