New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Webhook URL Validation #9751

Closed
sandymcfadden opened this Issue Dec 3, 2015 · 6 comments

Comments

Projects
None yet
6 participants
@sandymcfadden
Copy link

sandymcfadden commented Dec 3, 2015

This came through in a support ticket:

Setup a webhook (topic: order created), request is never sent, in the webhook log under "response" it says:
"Status: HTTP http_request_failed A valid URL was not provided.: Array"

The URL is valid, I can CURL it from a terminal on the same server and get a 200 response.

Here was what seems to be causing the problem.

The problem appears to be WP URL validation, it doesn't allow private IP ranges by default. As the servers I use are in an Amazon AWS VPC the gethostbyname() always returns the private IP address of the target EC2 server (even if it is public accessible), and validation fails.

I can override this, but maybe a useful feature would be for the webhooks to be validated at save time, and then not so rigorously (as these are entered by an Admin, they're not user supplied content)

@keyban

This comment has been minimized.

Copy link

keyban commented Mar 20, 2017

this isn't solved yet. i am currently receiving the exact same error when trying to activate the webhook.
some details to my specific usage:

  • the webhook gets created via the API
  • the delivery URL points to an AWS server
  • the delivery URL works perfectly fine when testing it via a curl call

as the webhooks have to be created dynamically on customer woocommerce shops editing code myself is not an option

the error message:

Error: Delivery URL cannot be reached: A valid URL was not provided.

@mikejolley

This comment has been minimized.

Copy link
Member

mikejolley commented Mar 20, 2017

The test does a wp_safe_remote_post. If this cannot reach your server, it's due to the URL and/or your server/firewall. WC cannot work around failing wp_safe_remote_posts.

@noriods

This comment has been minimized.

Copy link

noriods commented May 22, 2017

As @keyban mentioned, this isn't fixed.

@mikejolley there is an easy way for WC to work around this.

The function wp_safe_remote_post accepts arguments. One of those arguments is reject_unsafe_urls. And it defaults to true.

So one simple way to fix this is to provide a checkbox that allows an admin to turn reject_unsafe_urls off.

There are at least 2 use-cases for this functionality. One is for testing during development and the other, as mentioned above, is for webhooks between websites on the same (local) subnet.

A similar feature can be found for payment gateways — there's normally a testing mode. A "Testing Mode" for webhooks would be helpful, IMO.

@claudiosanches

This comment has been minimized.

Copy link
Member

claudiosanches commented May 24, 2017

@maxiwarecc

The function wp_safe_remote_post accepts arguments. One of those arguments is reject_unsafe_urls. And it defaults to true.
So one simple way to fix this is to provide a checkbox that allows an admin to turn reject_unsafe_urls off.

wp_safe_remote_post() does not have reject_unsafe_urls as true by default, what really happens is that wp_safe_remote_post() FORCES reject_unsafe_urls as true, so even if you try pass any arg, reject_unsafe_urls will be always true.

See the source code in: https://developer.wordpress.org/reference/functions/wp_safe_remote_post/

Still it's very simple to turn it off for development, just need to use the http_request_args filter.

https://developer.wordpress.org/reference/hooks/http_request_args/

Example:

add_filter( 'http_request_args', function( $args ) {
    $args['reject_unsafe_urls'] = false;

    return $args;
});

There is still a second param for $url, so this makes easy for your test it on development too.
And since this is something for development, I don't see any need to include an option on admin, a live site should only connect with safe URLs too.

@noriods

This comment has been minimized.

Copy link

noriods commented May 25, 2017

@claudiosanches thanks for the correction. And for the heads-up on that filter. I missed it. Much appreciated 😄

@zeroosama

This comment has been minimized.

Copy link

zeroosama commented Jul 7, 2018

Error: Delivery URL returned response code: 405

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment