How do I use the ‘http_request_host_is_external’ filter

by

I’m having a really hard time trying to use the http_request_host_is_external filter. For some background, I’m trying to set up a separate server to handle private plugin and theme updates. The problem is that it’s on a separate server, so the WordPress wp_http_validate_url (wp-includes/http.php) function kills the request. The following are lines 481-503 of that file.

if ( $ip ) {
        $parts = array_map( 'intval', explode( '.', $ip ) );
        if ( '127.0.0.1' === $ip
            || ( 10 === $parts[0] )
            || ( 172 === $parts[0] && 16 <= $parts[1] && 31 >= $parts[1] )
            || ( 192 === $parts[0] && 168 === $parts[1] )
        ) {
            // If host appears local, reject unless specifically allowed.
            /**
             * Check if HTTP request is external or not.
             *
             * Allows to change and allow external requests for the HTTP request.
             *
             * @since 3.6.0
             *
             * @param bool false Whether HTTP request is external or not.
             * @param string $host IP of the requested host.
             * @param string $url URL of the requested host.
             */
            if ( ! apply_filters( 'http_request_host_is_external', false, $host, $url ) )
                return false;
        }
    }

You’ll notice that there is a comment in there that mentions we should be able to apply the filter and make external requests, but what I’m trying doesn’t seem to work.

    require 'plugin_update_checker.php';
apply_filters( 'http_request_host_is_external', true, "my-update-server.com", 'http://my-update-server.com/update/8b6b28f1a2604deea192076cb2343ff4/' );
$MyUpdateChecker = new PluginUpdateChecker_1_3(
    'http://my-update-server/update/8b6b28f1a2604deea192076cb2343ff4/',
    __FILE__,
    'testslug'
);

I thought that if I set the filter in my plugin’s main file it would take care of it, but I think the issue is that the external request is happening right in WordPress’s updater, so maybe my filter doesn’t apply?

2 Answers
2

You can do this:

add_filter( 'http_request_host_is_external', '__return_true' );

However, note that this disables this security feature. If you know the host or url isn’t going to change and is always going to be that, you can be more secure by checking for that explicitly:

add_filter( 'http_request_host_is_external', 'allow_my_custom_host', 10, 3 );
function allow_my_custom_host( $allow, $host, $url ) {
  if ( $host == 'my-update-server' )
    $allow = true;
  return $allow;
}

Leave a Comment