diff -r be944660c56a -r 3d72ae0968f4 wp/wp-includes/http.php --- a/wp/wp-includes/http.php Wed Sep 21 18:19:35 2022 +0200 +++ b/wp/wp-includes/http.php Tue Sep 27 16:37:53 2022 +0200 @@ -222,7 +222,8 @@ * * @param array|WP_Error $response HTTP response. * @param string $header Header name to retrieve value from. - * @return string The header value. Empty string on if incorrect parameter given, or if the header doesn't exist. + * @return array|string The header(s) value(s). Array if multiple headers with the same name are retrieved. + * Empty string if incorrect parameter given, or if the header doesn't exist. */ function wp_remote_retrieve_header( $response, $header ) { if ( is_wp_error( $response ) || ! isset( $response['headers'] ) ) { @@ -239,7 +240,7 @@ /** * Retrieve only the response code from the raw response. * - * Will return an empty array if incorrect parameter value is given. + * Will return an empty string if incorrect parameter value is given. * * @since 2.7.0 * @@ -257,7 +258,7 @@ /** * Retrieve only the response message from the raw response. * - * Will return an empty array if incorrect parameter value is given. + * Will return an empty string if incorrect parameter value is given. * * @since 2.7.0 * @@ -514,6 +515,10 @@ * @return string|false URL or false on failure. */ function wp_http_validate_url( $url ) { + if ( ! is_string( $url ) || '' === $url || is_numeric( $url ) ) { + return false; + } + $original_url = $url; $url = wp_kses_bad_protocol( $url, array( 'http', 'https' ) ); if ( ! $url || strtolower( $url ) !== strtolower( $original_url ) ) { @@ -534,15 +539,10 @@ } $parsed_home = parse_url( get_option( 'home' ) ); - - if ( isset( $parsed_home['host'] ) ) { - $same_host = strtolower( $parsed_home['host'] ) === strtolower( $parsed_url['host'] ); - } else { - $same_host = false; - } + $same_host = isset( $parsed_home['host'] ) && strtolower( $parsed_home['host'] ) === strtolower( $parsed_url['host'] ); + $host = trim( $parsed_url['host'], '.' ); if ( ! $same_host ) { - $host = trim( $parsed_url['host'], '.' ); if ( preg_match( '#^(([1-9]?\d|1\d\d|25[0-5]|2[0-4]\d)\.){3}([1-9]?\d|1\d\d|25[0-5]|2[0-4]\d)$#', $host ) ) { $ip = $host; } else { @@ -581,7 +581,20 @@ } $port = $parsed_url['port']; - if ( 80 === $port || 443 === $port || 8080 === $port ) { + + /** + * Controls the list of ports considered safe in HTTP API. + * + * Allows to change and allow external requests for the HTTP request. + * + * @since 5.9.0 + * + * @param array $allowed_ports Array of integers for valid ports. + * @param string $host Host name of the requested URL. + * @param string $url Requested URL. + */ + $allowed_ports = apply_filters( 'http_allowed_safe_ports', array( 80, 443, 8080 ), $host, $url ); + if ( is_array( $allowed_ports ) && in_array( $port, $allowed_ports, true ) ) { return $url; } @@ -641,16 +654,15 @@ } /** - * A wrapper for PHP's parse_url() function that handles consistency in the return - * values across PHP versions. + * A wrapper for PHP's parse_url() function that handles consistency in the return values + * across PHP versions. * - * PHP 5.4.7 expanded parse_url()'s ability to handle non-absolute url's, including - * schemeless and relative url's with :// in the path. This function works around + * PHP 5.4.7 expanded parse_url()'s ability to handle non-absolute URLs, including + * schemeless and relative URLs with "://" in the path. This function works around * those limitations providing a standard output on PHP 5.2~5.4+. * - * Secondly, across various PHP versions, schemeless URLs starting containing a ":" - * in the query are being handled inconsistently. This function works around those - * differences as well. + * Secondly, across various PHP versions, schemeless URLs containing a ":" in the query + * are being handled inconsistently. This function works around those differences as well. * * @since 4.4.0 * @since 4.7.0 The `$component` parameter was added for parity with PHP's `parse_url()`.