Use of wp_http_validate_url may be misused incorrectly.

[erenfro]

I discovered this issue in regards to the use of the function check_url, because when trying to add a "friend" that was linked to my own Friendica and later Mastodon website, run on the very same cluster of servers running my Wordpress site, that no traffic ever left Wordpress or my webserver specifically while resolving the mastodon's domain name to a local internal subnet IP. When changing this to an external internet address IP, however, things magically worked.

enable-mastodon-apps/includes/class-mastodon-api.php

Line 2388 in c9fbb3b

return wp_http_validate_url( $url );

This call here, is intended for very specific use-cases, and I fear this may be one of the specific use cases this may or may not be legitimately useful for, as it's expecting a very specific protocol and only such.

Per a case I opened about this at Wordpress I feel this may be a case where this is probably hindering more than it should be.

[akirk]

As I pointed out in akirk/friends#304, there is a WordPress filter http_request_host_is_external that can be used. The filter friends_host_is_valid will be removed in the course of #109.

As the security team has pointed out to me, preventing access to internal ips by default and allowing to purposefully circument this with a dedicated filter is better than allowing access to internal ips by default.