From 5db0ce11fba611f4320762e317754239de1e6c3c Mon Sep 17 00:00:00 2001
From: Andrew Nacin <nacin@git.wordpress.org>
Date: Thu, 20 Nov 2014 14:00:26 +0000
Subject: [PATCH] Better validation of the URL used in core HTTP requests.

git-svn-id: https://develop.svn.wordpress.org/trunk@30443 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-includes/http.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/wp-includes/http.php b/src/wp-includes/http.php
index c3a890b796..8519d1834d 100644
--- a/src/wp-includes/http.php
+++ b/src/wp-includes/http.php
@@ -444,8 +444,9 @@ function send_origin_headers() {
  * @return mixed URL or false on failure.
  */
 function wp_http_validate_url( $url ) {
+	$original_url = $url;
 	$url = wp_kses_bad_protocol( $url, array( 'http', 'https' ) );
-	if ( ! $url )
+	if ( ! $url || strtolower( $url ) !== strtolower( $original_url ) )
 		return false;
 
 	$parsed_url = @parse_url( $url );
@@ -455,7 +456,7 @@ function wp_http_validate_url( $url ) {
 	if ( isset( $parsed_url['user'] ) || isset( $parsed_url['pass'] ) )
 		return false;
 
-	if ( false !== strpos( $parsed_url['host'], ':' ) )
+	if ( false !== strpbrk( $parsed_url['host'], ':#?[]' ) )
 		return false;
 
 	$parsed_home = @parse_url( get_option( 'home' ) );
@@ -473,8 +474,7 @@ function wp_http_validate_url( $url ) {
 		}
 		if ( $ip ) {
 			$parts = array_map( 'intval', explode( '.', $ip ) );
-			if ( '127.0.0.1' === $ip
-				|| ( 10 === $parts[0] )
+			if ( 127 === $parts[0] || 10 === $parts[0]
 				|| ( 172 === $parts[0] && 16 <= $parts[1] && 31 >= $parts[1] )
 				|| ( 192 === $parts[0] && 168 === $parts[1] )
 			) {