--- a/wp/wp-includes/http.php Wed Sep 21 18:19:35 2022 +0200
+++ b/wp/wp-includes/http.php Tue Sep 27 16:37:53 2022 +0200
@@ -222,7 +222,8 @@
*
* @param array|WP_Error $response HTTP response.
* @param string $header Header name to retrieve value from.
- * @return string The header value. Empty string on if incorrect parameter given, or if the header doesn't exist.
+ * @return array|string The header(s) value(s). Array if multiple headers with the same name are retrieved.
+ * Empty string if incorrect parameter given, or if the header doesn't exist.
*/
function wp_remote_retrieve_header( $response, $header ) {
if ( is_wp_error( $response ) || ! isset( $response['headers'] ) ) {
@@ -239,7 +240,7 @@
/**
* Retrieve only the response code from the raw response.
*
- * Will return an empty array if incorrect parameter value is given.
+ * Will return an empty string if incorrect parameter value is given.
*
* @since 2.7.0
*
@@ -257,7 +258,7 @@
/**
* Retrieve only the response message from the raw response.
*
- * Will return an empty array if incorrect parameter value is given.
+ * Will return an empty string if incorrect parameter value is given.
*
* @since 2.7.0
*
@@ -514,6 +515,10 @@
* @return string|false URL or false on failure.
*/
function wp_http_validate_url( $url ) {
+ if ( ! is_string( $url ) || '' === $url || is_numeric( $url ) ) {
+ return false;
+ }
+
$original_url = $url;
$url = wp_kses_bad_protocol( $url, array( 'http', 'https' ) );
if ( ! $url || strtolower( $url ) !== strtolower( $original_url ) ) {
@@ -534,15 +539,10 @@
}
$parsed_home = parse_url( get_option( 'home' ) );
-
- if ( isset( $parsed_home['host'] ) ) {
- $same_host = strtolower( $parsed_home['host'] ) === strtolower( $parsed_url['host'] );
- } else {
- $same_host = false;
- }
+ $same_host = isset( $parsed_home['host'] ) && strtolower( $parsed_home['host'] ) === strtolower( $parsed_url['host'] );
+ $host = trim( $parsed_url['host'], '.' );
if ( ! $same_host ) {
- $host = trim( $parsed_url['host'], '.' );
if ( preg_match( '#^(([1-9]?\d|1\d\d|25[0-5]|2[0-4]\d)\.){3}([1-9]?\d|1\d\d|25[0-5]|2[0-4]\d)$#', $host ) ) {
$ip = $host;
} else {
@@ -581,7 +581,20 @@
}
$port = $parsed_url['port'];
- if ( 80 === $port || 443 === $port || 8080 === $port ) {
+
+ /**
+ * Controls the list of ports considered safe in HTTP API.
+ *
+ * Allows to change and allow external requests for the HTTP request.
+ *
+ * @since 5.9.0
+ *
+ * @param array $allowed_ports Array of integers for valid ports.
+ * @param string $host Host name of the requested URL.
+ * @param string $url Requested URL.
+ */
+ $allowed_ports = apply_filters( 'http_allowed_safe_ports', array( 80, 443, 8080 ), $host, $url );
+ if ( is_array( $allowed_ports ) && in_array( $port, $allowed_ports, true ) ) {
return $url;
}
@@ -641,16 +654,15 @@
}
/**
- * A wrapper for PHP's parse_url() function that handles consistency in the return
- * values across PHP versions.
+ * A wrapper for PHP's parse_url() function that handles consistency in the return values
+ * across PHP versions.
*
- * PHP 5.4.7 expanded parse_url()'s ability to handle non-absolute url's, including
- * schemeless and relative url's with :// in the path. This function works around
+ * PHP 5.4.7 expanded parse_url()'s ability to handle non-absolute URLs, including
+ * schemeless and relative URLs with "://" in the path. This function works around
* those limitations providing a standard output on PHP 5.2~5.4+.
*
- * Secondly, across various PHP versions, schemeless URLs starting containing a ":"
- * in the query are being handled inconsistently. This function works around those
- * differences as well.
+ * Secondly, across various PHP versions, schemeless URLs containing a ":" in the query
+ * are being handled inconsistently. This function works around those differences as well.
*
* @since 4.4.0
* @since 4.7.0 The `$component` parameter was added for parity with PHP's `parse_url()`.