Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Validate pingback source URIs. Less verbose errors.

git-svn-id: http://core.svn.wordpress.org/branches/3.4@23331 1a063a9b-81f0-0310-95a4-ce76da25c4cd
  • Loading branch information...
commit 9bd6a810f2b4f49d41d960d9278fba71f355ddb9 1 parent d281b16
@nacin nacin authored
View
34 wp-includes/class-wp-xmlrpc-server.php
@@ -4918,10 +4918,14 @@ function pingback_ping($args) {
$pagelinkedto = str_replace('&', '&', $pagelinkedto);
$pagelinkedto = str_replace('&', '&', $pagelinkedto);
+ $pagelinkedfrom = apply_filters( 'pingback_ping_source_uri', $pagelinkedfrom, $pagelinkedto );
+ if ( ! $pagelinkedfrom )
+ return $this->pingback_error( 0, __( 'A valid URL was not provided.' ) );
+
// Check if the page linked to is in our site
$pos1 = strpos($pagelinkedto, str_replace(array('http://www.','http://','https://www.','https://'), '', get_option('home')));
if ( !$pos1 )
- return new IXR_Error(0, __('Is there no link to us?'));
+ return $this->pingback_error( 0, __( 'Is there no link to us?' ) );
// let's find which post is linked to
// FIXME: does url_to_postid() cover all these cases already?
@@ -4955,39 +4959,39 @@ function pingback_ping($args) {
$sql = $wpdb->prepare("SELECT ID FROM $wpdb->posts WHERE post_title RLIKE %s", like_escape( $title ) );
if (! ($post_ID = $wpdb->get_var($sql)) ) {
// returning unknown error '0' is better than die()ing
- return new IXR_Error(0, '');
+ return $this->pingback_error( 0, '' );
}
$way = 'from the fragment (title)';
}
} else {
// TODO: Attempt to extract a post ID from the given URL
- return new IXR_Error(33, __('The specified target URL cannot be used as a target. It either doesn’t exist, or it is not a pingback-enabled resource.'));
+ return $this->pingback_error( 33, __('The specified target URL cannot be used as a target. It either doesn’t exist, or it is not a pingback-enabled resource.' ) );
}
$post_ID = (int) $post_ID;
$post = get_post($post_ID);
if ( !$post ) // Post_ID not found
- return new IXR_Error(33, __('The specified target URL cannot be used as a target. It either doesn’t exist, or it is not a pingback-enabled resource.'));
+ return $this->pingback_error( 33, __( 'The specified target URL cannot be used as a target. It either doesn’t exist, or it is not a pingback-enabled resource.' ) );
if ( $post_ID == url_to_postid($pagelinkedfrom) )
- return new IXR_Error(0, __('The source URL and the target URL cannot both point to the same resource.'));
+ return $this->pingback_error( 0, __( 'The source URL and the target URL cannot both point to the same resource.' ) );
// Check if pings are on
if ( !pings_open($post) )
- return new IXR_Error(33, __('The specified target URL cannot be used as a target. It either doesn’t exist, or it is not a pingback-enabled resource.'));
+ return $this->pingback_error( 33, __( 'The specified target URL cannot be used as a target. It either doesn’t exist, or it is not a pingback-enabled resource.' ) );
// Let's check that the remote site didn't already pingback this entry
if ( $wpdb->get_results( $wpdb->prepare("SELECT * FROM $wpdb->comments WHERE comment_post_ID = %d AND comment_author_url = %s", $post_ID, $pagelinkedfrom) ) )
- return new IXR_Error( 48, __( 'The pingback has already been registered.' ) );
+ return $this->pingback_error( 48, __( 'The pingback has already been registered.' ) );
// very stupid, but gives time to the 'from' server to publish !
sleep(1);
// Let's check the remote site
- $linea = wp_remote_fopen( $pagelinkedfrom );
+ $linea = wp_remote_retrieve_body( wp_remote_get( $pagelinkedfrom, array( 'timeout' => 10, 'redirection' => 0 ) ) );
if ( !$linea )
- return new IXR_Error(16, __('The source URL does not exist.'));
+ return $this->pingback_error( 16, __( 'The source URL does not exist.' ) );
$linea = apply_filters('pre_remote_source', $linea, $pagelinkedto);
@@ -4999,7 +5003,7 @@ function pingback_ping($args) {
preg_match('|<title>([^<]*?)</title>|is', $linea, $matchtitle);
$title = $matchtitle[1];
if ( empty( $title ) )
- return new IXR_Error(32, __('We cannot find a title on that page.'));
+ return $this->pingback_error( 32, __('We cannot find a title on that page.' ) );
$linea = strip_tags( $linea, '<a>' ); // just keep the tag we need
@@ -5035,7 +5039,7 @@ function pingback_ping($args) {
}
if ( empty($context) ) // Link to target not found
- return new IXR_Error(17, __('The source URL does not contain a link to the target URL, and so cannot be used as a source.'));
+ return $this->pingback_error( 17, __( 'The source URL does not contain a link to the target URL, and so cannot be used as a source.' ) );
$pagelinkedfrom = str_replace('&', '&amp;', $pagelinkedfrom);
@@ -5082,14 +5086,14 @@ function pingback_extensions_getPingbacks($args) {
$post_ID = url_to_postid($url);
if ( !$post_ID ) {
// We aren't sure that the resource is available and/or pingback enabled
- return new IXR_Error(33, __('The specified target URL cannot be used as a target. It either doesn&#8217;t exist, or it is not a pingback-enabled resource.'));
+ return $this->pingback_error( 33, __( 'The specified target URL cannot be used as a target. It either doesn&#8217;t exist, or it is not a pingback-enabled resource.' ) );
}
$actual_post = wp_get_single_post($post_ID, ARRAY_A);
if ( !$actual_post ) {
// No such post = resource not found
- return new IXR_Error(32, __('The specified target URL does not exist.'));
+ return $this->pingback_error( 32, __('The specified target URL does not exist.' ) );
}
$comments = $wpdb->get_results( $wpdb->prepare("SELECT comment_author_url, comment_content, comment_author_IP, comment_type FROM $wpdb->comments WHERE comment_post_ID = %d", $post_ID) );
@@ -5105,4 +5109,8 @@ function pingback_extensions_getPingbacks($args) {
return $pingbacks;
}
+
+ protected function pingback_error( $code, $message ) {
+ return apply_filters( 'xmlrpc_pingback_error', new IXR_Error( $code, $message ) );
+ }
}
View
80 wp-includes/comment.php
@@ -1912,6 +1912,86 @@ function weblog_ping($server = '', $path = '') {
$client->query('weblogUpdates.ping', get_option('blogname'), $home);
}
+/**
+ * Default filter attached to pingback_ping_source_uri to validate the pingback's Source URI
+ *
+ * @since 3.5.1
+ *
+ * @param string $source_uri
+ * @return string
+ */
+function pingback_ping_source_uri( $source_uri ) {
+ $uri = esc_url_raw( $source_uri, array( 'http', 'https' ) );
+ if ( ! $uri )
+ return '';
+
+ $parsed_url = @parse_url( $uri );
+ if ( ! $parsed_url )
+ return '';
+
+ if ( isset( $parsed_url['user'] ) || isset( $parsed_url['pass'] ) )
+ return '';
+
+ if ( false !== strpos( $parsed_url['host'], ':' ) )
+ return '';
+
+ $parsed_home = @parse_url( get_option( 'home' ) );
+
+ $same_host = strtolower( $parsed_home['host'] ) === strtolower( $parsed_url['host'] );
+
+ if ( ! $same_host ) {
+ $host = trim( $parsed_url['host'], '.' );
+ if ( preg_match( '#^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$#', $host ) ) {
+ $ip = $host;
+ } else {
+ $ip = gethostbyname( $host );
+ if ( $ip === $host ) // Error condition for gethostbyname()
+ $ip = false;
+ }
+ if ( $ip ) {
+ if ( '127.0.0.1' === $ip )
+ return '';
+ $parts = array_map( 'intval', explode( '.', $ip ) );
+ if ( 10 === $parts[0] )
+ return '';
+ if ( 172 === $parts[0] && 16 <= $parts[1] && 31 >= $parts[1] )
+ return '';
+ if ( 192 === $parts[0] && 168 === $parts[1] )
+ return '';
+ }
+ }
+
+ if ( empty( $parsed_url['port'] ) )
+ return $uri;
+
+ $port = $parsed_url['port'];
+ if ( 80 === $port || 443 === $port || 8080 === $port )
+ return $uri;
+
+ if ( $parsed_home && $same_host && $parsed_home['port'] === $port )
+ return $uri;
+
+ return '';
+}
+
+/**
+ * Default filter attached to xmlrpc_pingback_error.
+ *
+ * Returns a generic pingback error code unless the error code is 48,
+ * which reports that the pingback is already registered.
+ *
+ * @since 3.5.1
+ * @link http://www.hixie.ch/specs/pingback/pingback#TOC3
+ *
+ * @param IXR_Error $ixr_error
+ * @return IXR_Error
+ */
+function xmlrpc_pingback_error( $ixr_error ) {
+ if ( $ixr_error->code === 48 )
+ return $ixr_error;
+ return new IXR_Error( 0, '' );
+}
+
//
// Cache
//
View
2  wp-includes/default-filters.php
@@ -192,6 +192,8 @@
add_filter( 'editable_slug', 'urldecode' );
add_filter( 'editable_slug', 'esc_textarea' );
add_filter( 'nav_menu_meta_box_object', '_wp_nav_menu_meta_box_object' );
+add_filter( 'pingback_ping_source_uri', 'pingback_ping_source_uri' );
+add_filter( 'xmlrpc_pingback_error', 'xmlrpc_pingback_error' );
// Actions
add_action( 'wp_head', 'wp_enqueue_scripts', 1 );
Please sign in to comment.
Something went wrong with that request. Please try again.