+
+/**
+ * Validate a URL for safe use in the HTTP API.
+ *
+ * @since 3.5.2
+ *
+ * @param string $url
+ * @return false|string URL or false on failure.
+ */
+function wp_http_validate_url( $url ) {
+ $original_url = $url;
+ $url = wp_kses_bad_protocol( $url, array( 'http', 'https' ) );
+ if ( ! $url || strtolower( $url ) !== strtolower( $original_url ) )
+ return false;
+
+ $parsed_url = @parse_url( $url );
+ if ( ! $parsed_url || empty( $parsed_url['host'] ) )
+ return false;
+
+ if ( isset( $parsed_url['user'] ) || isset( $parsed_url['pass'] ) )
+ return false;
+
+ if ( false !== strpbrk( $parsed_url['host'], ':#?[]' ) )
+ return false;
+
+ $parsed_home = @parse_url( get_option( 'home' ) );
+
+ $same_host = strtolower( $parsed_home['host'] ) === strtolower( $parsed_url['host'] );
+
+ if ( ! $same_host ) {
+ $host = trim( $parsed_url['host'], '.' );
+ if ( preg_match( '#^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$#', $host ) ) {
+ $ip = $host;
+ } else {
+ $ip = gethostbyname( $host );
+ if ( $ip === $host ) // Error condition for gethostbyname()
+ $ip = false;
+ }
+ if ( $ip ) {
+ $parts = array_map( 'intval', explode( '.', $ip ) );
+ if ( 127 === $parts[0] || 10 === $parts[0]
+ || ( 172 === $parts[0] && 16 <= $parts[1] && 31 >= $parts[1] )
+ || ( 192 === $parts[0] && 168 === $parts[1] )
+ ) {
+ // If host appears local, reject unless specifically allowed.
+ /**
+ * Check if HTTP request is external or not.
+ *
+ * Allows to change and allow external requests for the HTTP request.
+ *
+ * @since 3.6.0
+ *
+ * @param bool false Whether HTTP request is external or not.
+ * @param string $host IP of the requested host.
+ * @param string $url URL of the requested host.
+ */
+ if ( ! apply_filters( 'http_request_host_is_external', false, $host, $url ) )
+ return false;
+ }
+ }
+ }
+
+ if ( empty( $parsed_url['port'] ) )
+ return $url;
+
+ $port = $parsed_url['port'];
+ if ( 80 === $port || 443 === $port || 8080 === $port )
+ return $url;
+
+ if ( $parsed_home && $same_host && isset( $parsed_home['port'] ) && $parsed_home['port'] === $port )
+ return $url;
+
+ return false;
+}
+
+/**
+ * Whitelists allowed redirect hosts for safe HTTP requests as well.
+ *
+ * Attached to the http_request_host_is_external filter.
+ *
+ * @since 3.6.0
+ *
+ * @param bool $is_external
+ * @param string $host
+ * @return bool
+ */
+function allowed_http_request_hosts( $is_external, $host ) {
+ if ( ! $is_external && wp_validate_redirect( 'http://' . $host ) )
+ $is_external = true;
+ return $is_external;
+}
+
+/**
+ * Whitelists any domain in a multisite installation for safe HTTP requests.
+ *
+ * Attached to the http_request_host_is_external filter.
+ *
+ * @since 3.6.0
+ *
+ * @param bool $is_external
+ * @param string $host
+ * @return bool
+ */
+function ms_allowed_http_request_hosts( $is_external, $host ) {
+ global $wpdb;
+ static $queried = array();
+ if ( $is_external )
+ return $is_external;
+ if ( $host === get_current_site()->domain )
+ return true;
+ if ( isset( $queried[ $host ] ) )
+ return $queried[ $host ];
+ $queried[ $host ] = (bool) $wpdb->get_var( $wpdb->prepare( "SELECT domain FROM $wpdb->blogs WHERE domain = %s LIMIT 1", $host ) );
+ return $queried[ $host ];
+}