v7.1-b6: Enhanced URL fetch validation to avoid possible local info expose

Author: Hai Zheng

litespeed-cache.php

@@ -4,7 +4,7 @@
  * Plugin Name:       LiteSpeed Cache
  * Plugin URI:        https://www.litespeedtech.com/products/cache-plugins/wordpress-acceleration
  * Description:       High-performance page caching and site optimization from LiteSpeed
- * Version:           7.1-b1
+ * Version:           7.1-b6
  * Author:            LiteSpeed Technologies
  * Author URI:        https://www.litespeedtech.com
  * License:           GPLv3
@@ -34,7 +34,7 @@
 	return;
 }
 
-!defined('LSCWP_V') && define('LSCWP_V', '7.1-b1');
+!defined('LSCWP_V') && define('LSCWP_V', '7.1-b6');
 
 !defined('LSCWP_CONTENT_DIR') && define('LSCWP_CONTENT_DIR', WP_CONTENT_DIR);
 !defined('LSCWP_DIR') && define('LSCWP_DIR', __DIR__ . '/'); // Full absolute path '/var/www/html/***/wp-content/plugins/litespeed-cache/' or MU

src/avatar.cls.php

@@ -1,4 +1,5 @@
 <?php
+
 /**
  * The avatar cache class
  *
@@ -7,6 +8,7 @@
  * @subpackage 	LiteSpeed/inc
  * @author     	LiteSpeed Technologies <[email protected]>
  */
+
 namespace LiteSpeed;
 
 defined('WPINC') || exit();
@@ -242,7 +244,7 @@ private function _generate($url)
 		// Generate
 		$this->_maybe_mk_cache_folder('avatar');
 
-		$response = wp_remote_get($url, array('timeout' => 180, 'stream' => true, 'filename' => $file));
+		$response = wp_safe_remote_get($url, array('timeout' => 180, 'stream' => true, 'filename' => $file));
 
 		Debug2::debug('[Avatar] _generate [url] ' . $url);
 

src/cloud.cls.php

@@ -473,7 +473,7 @@ private function _load_server_pk($from_wpapi = false)
 		if ($from_wpapi) {
 			$server_key_url = self::CLOUD_SERVER_WP . '/' . self::API_SERVER_KEY_SIGN;
 		}
-		$resp = wp_remote_get($server_key_url);
+		$resp = wp_safe_remote_get($server_key_url);
 		if (is_wp_error($resp)) {
 			self::debugErr('Failed to load key: ' . $resp->get_error_message());
 			return false;
@@ -1036,7 +1036,7 @@ public function detect_cloud($service, $force = false)
 			// TODO
 			$valid_cloud_loads = array();
 			foreach ($valid_clouds as $k => $v) {
-				$response = wp_remote_get($v, array('timeout' => 5));
+				$response = wp_safe_remote_get($v, array('timeout' => 5));
 				if (is_wp_error($response)) {
 					$error_message = $response->get_error_message();
 					self::debug('failed to do load checker: ' . $error_message);
@@ -1188,7 +1188,7 @@ private function _get($service, $data = false)
 
 		self::save_summary(array('curr_request.' . $service_tag => time()));
 
-		$response = wp_remote_get($url, array(
+		$response = wp_safe_remote_get($url, array(
 			'timeout' => 15,
 			'headers' => array('Accept' => 'application/json'),
 		));
@@ -1361,7 +1361,7 @@ private function _post($service, $data = false, $time_out = false)
 
 		self::save_summary(array('curr_request.' . $service_tag => time()));
 
-		$response = wp_remote_post($url, array(
+		$response = wp_safe_remote_post($url, array(
 			'body' => $param,
 			'timeout' => $time_out ?: 15,
 			'headers' => array('Accept' => 'application/json', 'Expect' => ''),
@@ -1844,7 +1844,7 @@ private function _update_ips()
 		// Prevent multiple call in a short period
 		self::save_summary(array('ips_ts' => time(), 'ips_ts_runner' => time()));
 
-		$response = wp_remote_get(self::CLOUD_IPS . '?json');
+		$response = wp_safe_remote_get(self::CLOUD_IPS . '?json');
 		if (is_wp_error($response)) {
 			$error_message = $response->get_error_message();
 			self::debug('failed to get ip whitelist: ' . $error_message);

src/core.cls.php

@@ -677,7 +677,7 @@ public function send_headers($is_forced = false)
 				self::debug('[Core] Purge Queue found, issue a HTTP req to purge: ' . $purge_queue);
 				// Kick off HTTP req
 				$url = admin_url('admin-ajax.php');
-				$resp = wp_remote_get($url);
+				$resp = wp_safe_remote_get($url);
 				if (is_wp_error($resp)) {
 					$error_message = $resp->get_error_message();
 					self::debug('[URL]' . $url);

src/crawler-map.cls.php

@@ -525,7 +525,7 @@ private function _parse($sitemap)
 		 * Read via wp func to avoid allow_url_fopen = off
 		 * @since  2.2.7
 		 */
-		$response = wp_remote_get($sitemap, array('timeout' => $this->_conf_map_timeout, 'sslverify' => false));
+		$response = wp_safe_remote_get($sitemap, array('timeout' => $this->_conf_map_timeout, 'sslverify' => false));
 		if (is_wp_error($response)) {
 			$error_message = $response->get_error_message();
 			self::debug('failed to read sitemap: ' . $error_message);

src/file.cls.php

@@ -22,7 +22,7 @@ class File
 	 */
 	public static function is_404($url)
 	{
-		$response = wp_remote_get($url);
+		$response = wp_safe_remote_get($url);
 		$code = wp_remote_retrieve_response_code($response);
 		if ($code == 404) {
 			return true;

src/img-optm.cls.php

@@ -1235,7 +1235,7 @@ public function pull($manual = false)
 					));
 				} else {
 					foreach ($requests as $cnt => $req) {
-						$wp_response = wp_remote_get($req['url'], array('timeout' => 60));
+						$wp_response = wp_safe_remote_get($req['url'], array('timeout' => 60));
 						$request_response = array(
 							'success' => false,
 							'status_code' => 0,

src/localization.cls.php

@@ -1,9 +1,11 @@
 <?php
+
 /**
  * The localization class.
  *
  * @since      	3.3
  */
+
 namespace LiteSpeed;
 
 defined('WPINC') || exit();
@@ -90,7 +92,7 @@ public function serve_static($uri)
 		$file = $this->_realpath($url);
 
 		self::debug('localize [url] ' . $url);
-		$response = wp_remote_get($url, array('timeout' => 180, 'stream' => true, 'filename' => $file));
+		$response = wp_safe_remote_get($url, array('timeout' => 180, 'stream' => true, 'filename' => $file));
 
 		// Parse response data
 		if (is_wp_error($response)) {

src/optimizer.cls.php

@@ -1,4 +1,5 @@
 <?php
+
 /**
  * The optimize4 class.
  *
@@ -7,6 +8,7 @@
  * @subpackage 	LiteSpeed/inc
  * @author     	LiteSpeed Technologies <[email protected]>
  */
+
 namespace LiteSpeed;
 
 defined('WPINC') || exit();
@@ -229,7 +231,7 @@ private function load_cached_file($url, $file_type)
 		}
 
 		// Write file
-		$res = wp_remote_get($url);
+		$res = wp_safe_remote_get($url);
 		$res_code = wp_remote_retrieve_response_code($res);
 		if (is_wp_error($res) || $res_code != 200) {
 			Debug2::debug2('[Optimizer] ❌ Load Remote error [code] ' . $res_code);

src/task.cls.php

@@ -131,7 +131,7 @@ public static function async_call($type)
 		);
 		$url = add_query_arg($qs, admin_url('admin-ajax.php'));
 		self::debug('async call to ' . $url);
-		wp_remote_post(esc_url_raw($url), $args);
+		wp_safe_remote_post(esc_url_raw($url), $args);
 	}
 
 	/**

src/tool.cls.php

@@ -1,4 +1,5 @@
 <?php
+
 /**
  * The tools
  *
@@ -7,6 +8,7 @@
  * @subpackage 	LiteSpeed/inc
  * @author     	LiteSpeed Technologies <[email protected]>
  */
+
 namespace LiteSpeed;
 
 defined('WPINC') || exit();
@@ -23,7 +25,7 @@ public function check_ip()
 	{
 		Debug2::debug('[Tool] ✅ check_ip');
 
-		$response = wp_remote_get('https://www.doapi.us/ip');
+		$response = wp_safe_remote_get('https://www.doapi.us/ip');
 
 		if (is_wp_error($response)) {
 			return new \WP_Error('remote_get_fail', 'Failed to fetch from https://www.doapi.us/ip', array('status' => 404));