-
Notifications
You must be signed in to change notification settings - Fork 272
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Networking: Implement gethostbyname #400
Comments
Actually, this is only a problem when networking is disabled. Native PHP returns the original input in that scenario:
The WASM version of |
if ( preg_match( '#^(([1-9]?\d|1\d\d|25[0-5]|2[0-4]\d)\.){3}([1-9]?\d|1\d\d|25[0-5]|2[0-4]\d)$#', $host ) ) {
$ip = $host;
} else {
$ip = gethostbyname( $host );
if ( $ip === $host ) { // Error condition for gethostbyname().
return false;
}
}
if ( $ip ) {
$parts = array_map( 'intval', explode( '.', $ip ) );
if ( 127 === $parts[0] || 10 === $parts[0] || 0 === $parts[0]
|| ( 172 === $parts[0] && 16 <= $parts[1] && 31 >= $parts[1] )
|| ( 192 === $parts[0] && 168 === $parts[1] )
) {
// If host appears local, reject unless specifically allowed.
if ( ! apply_filters( 'http_request_host_is_external', false, $host, $url ) ) {
return false;
}
}
} The local IP address that |
Problem
As seen in #396, calling
gethostbyname
in PHP generates a random local IP address. Emscripten then re-routes it to the correct location, but the fact we even have local IP in the mix causeswp_safe_remote_get
to fail since it refuses to connect to a local IP address.A workaround discussed in that issue silences the warning, which works in a dev environment, but for production use we need a proper fix that doesn't open up a possibility of local network traversal.
Proposed solution
Hardcoding host resolution won’t cut it and we need to defer to the OS
gethostbyname
implementation.The
DNS.lookup()
implementation that comes with node.js is asynchronous so there are two ways to go about it:Unrelated trivia: I just learned that dns.lookup() pretends to be asynchronous, but in reality it calls a blocking function:
https://httptoolkit.com/blog/configuring-nodejs-dns/
The author discusses a
cacheable-lookup
library that exposes a synchronouslookup()
function - perhaps it could „just work” for us?https://www.npmjs.com/package/cacheable-lookup
Related info
This is also solved by enabling the networking access by adding networking=yes to the URL, for example:
https://playground.wordpress.net/?plugin=create-block-theme&url=/wp-admin/admin.php?page=create-block-theme&networking=yes
Or with the following Blueprint:
cc @akirk @dmsnell @danielbachhuber
The text was updated successfully, but these errors were encountered: