vhad/wordpress-develop
1
0
Fork 0
mirror of https://github.com/gosticks/wordpress-develop.git synced 2026-04-04 12:44:31 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Security: Fix bug in wp_is_local_html_output().

Browse Source 
Prior to this changeset, the check for the correct RSD link output was relying on a specific protocol, although it needs to accept both the HTTP and HTTPS version of the URL.

Props TimothyBlynJacobs.
Fixes #52542. See #47577.


git-svn-id: https://develop.svn.wordpress.org/trunk@50391 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Felix Arntz
2021-02-19 21:11:02 +00:00
parent d77042872c
commit c8bbd79d2d
2 changed files with 9 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/wp-includes/https-detection.php
View File

@@ -204,7 +204,7 @@ function wp_cron_conditionally_prevent_sslverify( $request ) {
function wp_is_local_html_output( $html ) {
// 1. Check if HTML includes the site's Really Simple Discovery link.
if ( has_action( 'wp_head', 'rsd_link' ) ) {
$pattern = esc_url( site_url( 'xmlrpc.php?rsd', 'rpc' ) ); // See rsd_link().
$pattern = preg_replace( '#^https?:(?=//)#', '', esc_url( site_url( 'xmlrpc.php?rsd', 'rpc' ) ) ); // See rsd_link().
return false !== strpos( $html, $pattern );
}
@@ -218,7 +218,7 @@ function wp_is_local_html_output( $html ) {
// 3. Check if HTML includes the site's REST API link.
if ( has_action( 'wp_head', 'rest_output_link_wp_head' ) ) {
// Try both HTTPS and HTTP since the URL depends on context.
$pattern = esc_url( preg_replace( '#^https?:(?=//)#', '', get_rest_url() ) ); // See rest_output_link_wp_head().
$pattern = preg_replace( '#^https?:(?=//)#', '', esc_url( get_rest_url() ) ); // See rest_output_link_wp_head().
return false !== strpos( $html, $pattern );
}