Hi
A new security and maintanance release for WordPress was announced,
which addresses two security issues:
https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/
According to the announcement:
WordPress versions 4.4.1 and earlier are affected by two security issues: a possible SSRF for certain local URIs, reported by Ronni Skansing; and an open redirection attack, reported by Shailesh Suthar.
References:
https://core.trac.wordpress.org/changeset/36444
trunk/src/wp-includes/pluggable.php
Index: trunk/src/wp-includes/pluggable.php
===================================================================
--- a/trunk/src/wp-includes/pluggable.php
+++ b/trunk/src/wp-includes/pluggable.php
@@ -1337,7 +1337,15 @@
return $default;
- // Reject if scheme is set but host is not. This catches urls like https:host.com for which parse_url does not set the host field.
- if ( isset($lp['scheme']) && !isset($lp['host']) )
+ // Reject if certain components are set but host is not. This catches urls like https:host.com for which parse_url does not set the host field.
+ if ( ! isset( $lp['host'] ) && ( isset( $lp['scheme'] ) || isset( $lp['user'] ) || isset( $lp['pass'] ) || isset( $lp['port'] ) ) ) {
return $default;
+ }
+
+ // Reject malformed components parse_url() can return on odd inputs.
+ foreach ( array( 'user', 'pass', 'host' ) as $component ) {
+ if ( isset( $lp[ $component ] ) && strpbrk( $lp[ $component ], ':/?#@' ) ) {
+ return $default;
+ }
+ }
$wpp = parse_url(home_url());
https://core.trac.wordpress.org/changeset/36435
Index: trunk/src/wp-includes/http.php
===================================================================
--- a/trunk/src/wp-includes/http.php
+++ b/trunk/src/wp-includes/http.php
@@ -537,5 +537,5 @@
if ( $ip ) {
$parts = array_map( 'intval', explode( '.', $ip ) );
- if ( 127 === $parts[0] || 10 === $parts[0]
+ if ( 127 === $parts[0] || 10 === $parts[0] || 0 === $parts[0]
|| ( 172 === $parts[0] && 16 <= $parts[1] && 31 >= $parts[1] )
|| ( 192 === $parts[0] && 168 === $parts[1] )
Regards,
Salvatore