Clarify and/or correct section about SSRF

WordPress / Security-White-Paper

The WordPress Security White Paper, available directly on the WordPress.org site at https://wordpress.org/about/security/

96 stars 53 forks source link

Clarify and/or correct section about SSRF #53

Open johnbillion opened 7 years ago

johnbillion commented 7 years ago

HTTP requests issued by WordPress are filtered to prevent access to loopback and private IP addresses. Additionally, access is only allowed to certain standard HTTP ports.

I don't believe this is accurate. Port access configuration is outside of the control of WordPress.

iandunn commented 7 years ago

I assumed that was in reference to outbound requests, and specifically to the reject_unsafe_urls param of wp_remote_{get|post}. That defaults to false, though, so I guess that wouldn't make sense.

If it does refer to inbound requests, maybe it's an artifact from the original WordPress.com white paper?

iandunn commented 7 years ago

Ah, I bet it was referring to wp_safe_remote_get() and wp_safe_remote_post(), since reject_unsafe_urls is true for them.

johnbillion commented 7 years ago

Ah yes, I think you're right. Needs some clarification.

iandunn commented 7 years ago

@johnbillion, how does 929d667 look to you?

Overall, the white paper seems pretty light on low-level details, which I'm assuming was intentional (perhaps to avoid boring/overwhelming non-technical readers?). So maybe the references to specific functions and ports should be removed?