X-Git-Url: https://scripts.mit.edu/gitweb/autoinstalls/wordpress.git/blobdiff_plain/5aa86a9053fb0fa15846bb60aac2fb8fdfff524a..6c8f14c09105d0afa4c1574215c59b5021040e76:/wp-includes/class-http.php diff --git a/wp-includes/class-http.php b/wp-includes/class-http.php index a68711c8..b50909fd 100644 --- a/wp-includes/class-http.php +++ b/wp-includes/class-http.php @@ -98,7 +98,6 @@ class WP_Http { 'filename' => null ); - // Pre-parse for the HEAD checks. $args = wp_parse_args( $args ); @@ -170,21 +169,17 @@ class WP_Http { if ( WP_Http_Encoding::is_available() ) $r['headers']['Accept-Encoding'] = WP_Http_Encoding::accept_encoding(); - if ( empty($r['body']) ) { - $r['body'] = null; - // Some servers fail when sending content without the content-length header being set. - // Also, to fix another bug, we only send when doing POST and PUT and the content-length - // header isn't already set. - if ( ($r['method'] == 'POST' || $r['method'] == 'PUT') && ! isset( $r['headers']['Content-Length'] ) ) - $r['headers']['Content-Length'] = 0; - } else { + if ( ( ! is_null( $r['body'] ) && '' != $r['body'] ) || 'POST' == $r['method'] || 'PUT' == $r['method'] ) { if ( is_array( $r['body'] ) || is_object( $r['body'] ) ) { $r['body'] = http_build_query( $r['body'], null, '&' ); + if ( ! isset( $r['headers']['Content-Type'] ) ) $r['headers']['Content-Type'] = 'application/x-www-form-urlencoded; charset=' . get_option( 'blog_charset' ); - $r['headers']['Content-Length'] = strlen( $r['body'] ); } + if ( '' === $r['body'] ) + $r['body'] = null; + if ( ! isset( $r['headers']['Content-Length'] ) && ! isset( $r['headers']['content-length'] ) ) $r['headers']['Content-Length'] = strlen( $r['body'] ); } @@ -201,7 +196,7 @@ class WP_Http { * @param array $args Request arguments * @param string $url URL to Request * - * @return string|false Class name for the first transport that claims to support the request. False if no transport claims to support the request. + * @return string|bool Class name for the first transport that claims to support the request. False if no transport claims to support the request. */ public function _get_first_available_transport( $args, $url = null ) { $request_order = array( 'curl', 'streams', 'fsockopen' ); @@ -383,18 +378,18 @@ class WP_Http { list($key, $value) = explode(':', $tempheader, 2); - if ( !empty( $value ) ) { - $key = strtolower( $key ); - if ( isset( $newheaders[$key] ) ) { - if ( !is_array($newheaders[$key]) ) - $newheaders[$key] = array($newheaders[$key]); - $newheaders[$key][] = trim( $value ); - } else { - $newheaders[$key] = trim( $value ); - } - if ( 'set-cookie' == $key ) - $cookies[] = new WP_Http_Cookie( $value ); + $key = strtolower( $key ); + $value = trim( $value ); + + if ( isset( $newheaders[ $key ] ) ) { + if ( ! is_array( $newheaders[ $key ] ) ) + $newheaders[$key] = array( $newheaders[ $key ] ); + $newheaders[ $key ][] = $value; + } else { + $newheaders[ $key ] = $value; } + if ( 'set-cookie' == $key ) + $cookies[] = new WP_Http_Cookie( $value ); } return array('response' => $response, 'headers' => $newheaders, 'cookies' => $cookies); @@ -430,6 +425,8 @@ class WP_Http { * Based off the HTTP http_encoding_dechunk function. Does not support UTF-8. Does not support * returning footer headers. Shouldn't be too difficult to support it though. * + * @link http://tools.ietf.org/html/rfc2616#section-19.4.6 Process for chunked decoding. + * * @todo Add support for footer chunked headers. * @access public * @since 2.7.0 @@ -535,8 +532,55 @@ class WP_Http { else return !in_array( $check['host'], $accessible_hosts ); //Inverse logic, If its in the array, then we can't access it. + } + + static function make_absolute_url( $maybe_relative_path, $url ) { + if ( empty( $url ) ) + return $maybe_relative_path; + + // Check for a scheme + if ( false !== strpos( $maybe_relative_path, '://' ) ) + return $maybe_relative_path; + + if ( ! $url_parts = @parse_url( $url ) ) + return $maybe_relative_path; + + if ( ! $relative_url_parts = @parse_url( $maybe_relative_path ) ) + return $maybe_relative_path; + + $absolute_path = $url_parts['scheme'] . '://' . $url_parts['host']; + if ( isset( $url_parts['port'] ) ) + $absolute_path .= ':' . $url_parts['port']; + // Start off with the Absolute URL path + $path = ! empty( $url_parts['path'] ) ? $url_parts['path'] : '/'; + // If the it's a root-relative path, then great + if ( ! empty( $relative_url_parts['path'] ) && '/' == $relative_url_parts['path'][0] ) { + $path = $relative_url_parts['path']; + + // Else it's a relative path + } elseif ( ! empty( $relative_url_parts['path'] ) ) { + // Strip off any file components from the absolute path + $path = substr( $path, 0, strrpos( $path, '/' ) + 1 ); + + // Build the new path + $path .= $relative_url_parts['path']; + + // Strip all /path/../ out of the path + while ( strpos( $path, '../' ) > 1 ) { + $path = preg_replace( '![^/]+/\.\./!', '', $path ); + } + + // Strip any final leading ../ from the path + $path = preg_replace( '!^/(\.\./)+!', '', $path ); + } + + // Add the Query string + if ( ! empty( $relative_url_parts['query'] ) ) + $path .= '?' . $relative_url_parts['query']; + + return $absolute_path . '/' . ltrim( $path, '/' ); } } @@ -733,7 +777,7 @@ class WP_Http_Fsockopen { // If location is found, then assume redirect and redirect to location. if ( isset($arrHeaders['headers']['location']) && 0 !== $r['_redirection'] ) { if ( $r['redirection']-- > 0 ) { - return $this->request($arrHeaders['headers']['location'], $r); + return $this->request( WP_HTTP::make_absolute_url( $arrHeaders['headers']['location'], $url ), $r); } else { return new WP_Error('http_request_failed', __('Too many redirects.')); } @@ -760,7 +804,7 @@ class WP_Http_Fsockopen { if ( ! function_exists( 'fsockopen' ) ) return false; - if ( false !== ($option = get_option( 'disable_fsockopen' )) && time()-$option < 43200 ) // 12 hours + if ( false !== ( $option = get_option( 'disable_fsockopen' ) ) && time() - $option < 12 * HOUR_IN_SECONDS ) return false; $is_ssl = isset( $args['ssl'] ) && $args['ssl']; @@ -866,7 +910,7 @@ class WP_Http_Streams { $arrContext['http']['header'] .= $proxy->authentication_header() . "\r\n"; } - if ( ! empty($r['body'] ) ) + if ( ! is_null( $r['body'] ) ) $arrContext['http']['content'] = $r['body']; $context = stream_context_create($arrContext); @@ -1023,15 +1067,14 @@ class WP_Http_Curl { } } - $is_local = isset($args['local']) && $args['local']; - $ssl_verify = isset($args['sslverify']) && $args['sslverify']; + $is_local = isset($r['local']) && $r['local']; + $ssl_verify = isset($r['sslverify']) && $r['sslverify']; if ( $is_local ) $ssl_verify = apply_filters('https_local_ssl_verify', $ssl_verify); elseif ( ! $is_local ) $ssl_verify = apply_filters('https_ssl_verify', $ssl_verify); - - // CURLOPT_TIMEOUT and CURLOPT_CONNECTTIMEOUT expect integers. Have to use ceil since + // CURLOPT_TIMEOUT and CURLOPT_CONNECTTIMEOUT expect integers. Have to use ceil since // a value of 0 will allow an unlimited timeout. $timeout = (int) ceil( $r['timeout'] ); curl_setopt( $handle, CURLOPT_CONNECTTIMEOUT, $timeout ); @@ -1042,7 +1085,9 @@ class WP_Http_Curl { curl_setopt( $handle, CURLOPT_SSL_VERIFYHOST, ( $ssl_verify === true ) ? 2 : false ); curl_setopt( $handle, CURLOPT_SSL_VERIFYPEER, $ssl_verify ); curl_setopt( $handle, CURLOPT_USERAGENT, $r['user-agent'] ); - curl_setopt( $handle, CURLOPT_MAXREDIRS, $r['redirection'] ); + // The option doesn't work with safe mode or when open_basedir is set, and there's a + // bug #17490 with redirected POST requests, so handle redirections outside Curl. + curl_setopt( $handle, CURLOPT_FOLLOWLOCATION, false ); switch ( $r['method'] ) { case 'HEAD': @@ -1056,10 +1101,15 @@ class WP_Http_Curl { curl_setopt( $handle, CURLOPT_CUSTOMREQUEST, 'PUT' ); curl_setopt( $handle, CURLOPT_POSTFIELDS, $r['body'] ); break; + default: + curl_setopt( $handle, CURLOPT_CUSTOMREQUEST, $r['method'] ); + if ( ! is_null( $r['body'] ) ) + curl_setopt( $handle, CURLOPT_POSTFIELDS, $r['body'] ); + break; } if ( true === $r['blocking'] ) - curl_setopt( $handle, CURLOPT_HEADERFUNCTION, array( &$this, 'stream_headers' ) ); + curl_setopt( $handle, CURLOPT_HEADERFUNCTION, array( $this, 'stream_headers' ) ); curl_setopt( $handle, CURLOPT_HEADER, false ); @@ -1074,10 +1124,6 @@ class WP_Http_Curl { curl_setopt( $handle, CURLOPT_FILE, $stream_handle ); } - // The option doesn't work with safe mode or when open_basedir is set. - if ( !ini_get('safe_mode') && !ini_get('open_basedir') && 0 !== $r['_redirection'] ) - curl_setopt( $handle, CURLOPT_FOLLOWLOCATION, true ); - if ( !empty( $r['headers'] ) ) { // cURL expects full header strings in each element $headers = array(); @@ -1110,12 +1156,12 @@ class WP_Http_Curl { if ( strlen($theResponse) > 0 && ! is_bool( $theResponse ) ) // is_bool: when using $args['stream'], curl_exec will return (bool)true $theBody = $theResponse; - // If no response, and It's not a HEAD request with valid headers returned - if ( 0 == strlen($theResponse) && ('HEAD' != $args['method'] || empty($this->headers)) ) { - if ( $curl_error = curl_error($handle) ) - return new WP_Error('http_request_failed', $curl_error); - if ( in_array( curl_getinfo( $handle, CURLINFO_HTTP_CODE ), array(301, 302) ) ) - return new WP_Error('http_request_failed', __('Too many redirects.')); + // If no response + if ( 0 == strlen( $theResponse ) && empty( $theHeaders['headers'] ) ) { + if ( $curl_error = curl_error( $handle ) ) + return new WP_Error( 'http_request_failed', $curl_error ); + if ( in_array( curl_getinfo( $handle, CURLINFO_HTTP_CODE ), array( 301, 302 ) ) ) + return new WP_Error( 'http_request_failed', __( 'Too many redirects.' ) ); } $this->headers = ''; @@ -1130,9 +1176,9 @@ class WP_Http_Curl { fclose( $stream_handle ); // See #11305 - When running under safe mode, redirection is disabled above. Handle it manually. - if ( ! empty( $theHeaders['headers']['location'] ) && ( ini_get( 'safe_mode' ) || ini_get( 'open_basedir' ) ) && 0 !== $r['_redirection'] ) { + if ( ! empty( $theHeaders['headers']['location'] ) && 0 !== $r['_redirection'] ) { // _redirection: The requested number of redirections if ( $r['redirection']-- > 0 ) { - return $this->request( $theHeaders['headers']['location'], $r ); + return $this->request( WP_HTTP::make_absolute_url( $theHeaders['headers']['location'], $url ), $r ); } else { return new WP_Error( 'http_request_failed', __( 'Too many redirects.' ) ); } @@ -1344,6 +1390,10 @@ class WP_HTTP_Proxy { $home = parse_url( get_option('siteurl') ); + $result = apply_filters( 'pre_http_send_through_proxy', null, $uri, $check, $home ); + if ( ! is_null( $result ) ) + return $result; + if ( $check['host'] == 'localhost' || $check['host'] == $home['host'] ) return false; @@ -1494,11 +1544,11 @@ class WP_Http_Cookie { * @since 2.8.0 * * @param string $url URL you intend to send this cookie to - * @return boolean TRUE if allowed, FALSE otherwise. + * @return boolean true if allowed, false otherwise. */ function test( $url ) { // Expires - if expired then nothing else matters - if ( time() > $this->expires ) + if ( isset( $this->expires ) && time() > $this->expires ) return false; // Get details on the URL we're thinking about sending to @@ -1538,10 +1588,10 @@ class WP_Http_Cookie { * @return string Header encoded cookie name and value. */ function getHeaderValue() { - if ( empty( $this->name ) || empty( $this->value ) ) + if ( ! isset( $this->name ) || ! isset( $this->value ) ) return ''; - return $this->name . '=' . urlencode( $this->value ); + return $this->name . '=' . apply_filters( 'wp_http_cookie_value', $this->value, $this->name ); } /** @@ -1625,7 +1675,7 @@ class WP_Http_Encoding { /** * Decompression of deflated string while staying compatible with the majority of servers. * - * Certain Servers will return deflated data with headers which PHP's gziniflate() + * Certain Servers will return deflated data with headers which PHP's gzinflate() * function cannot handle out of the box. The following function has been created from * various snippets on the gzinflate() PHP documentation. *