WordPress Version: 6.5
/**
* Downloads a URL to a local temporary file using the WordPress HTTP API.
*
* Please note that the calling function must delete or move the file.
*
* @since 2.5.0
* @since 5.2.0 Signature Verification with SoftFail was added.
* @since 5.9.0 Support for Content-Disposition filename was added.
*
* @param string $url The URL of the file to download.
* @param int $timeout The timeout for the request to download the file.
* Default 300 seconds.
* @param bool $signature_verification Whether to perform Signature Verification.
* Default false.
* @return string|WP_Error Filename on success, WP_Error on failure.
*/
function download_url($url, $timeout = 300, $signature_verification = false)
{
// WARNING: The file is not automatically deleted, the script must delete or move the file.
if (!$url) {
return new WP_Error('http_no_url', __('Invalid URL Provided.'));
}
$url_path = parse_url($url, PHP_URL_PATH);
$url_filename = '';
if (is_string($url_path) && '' !== $url_path) {
$url_filename = basename($url_path);
}
$tmpfname = wp_tempnam($url_filename);
if (!$tmpfname) {
return new WP_Error('http_no_file', __('Could not create temporary file.'));
}
$response = wp_safe_remote_get($url, array('timeout' => $timeout, 'stream' => true, 'filename' => $tmpfname));
if (is_wp_error($response)) {
unlink($tmpfname);
return $response;
}
$response_code = wp_remote_retrieve_response_code($response);
if (200 !== $response_code) {
$data = array('code' => $response_code);
// Retrieve a sample of the response body for debugging purposes.
$tmpf = fopen($tmpfname, 'rb');
if ($tmpf) {
/**
* Filters the maximum error response body size in `download_url()`.
*
* @since 5.1.0
*
* @see download_url()
*
* @param int $size The maximum error response body size. Default 1 KB.
*/
$response_size = apply_filters('download_url_error_max_body_size', KB_IN_BYTES);
$data['body'] = fread($tmpf, $response_size);
fclose($tmpf);
}
unlink($tmpfname);
return new WP_Error('http_404', trim(wp_remote_retrieve_response_message($response)), $data);
}
$content_disposition = wp_remote_retrieve_header($response, 'Content-Disposition');
if ($content_disposition) {
$content_disposition = strtolower($content_disposition);
if (str_starts_with($content_disposition, 'attachment; filename=')) {
$tmpfname_disposition = sanitize_file_name(substr($content_disposition, 21));
} else {
$tmpfname_disposition = '';
}
// Potential file name must be valid string.
if ($tmpfname_disposition && is_string($tmpfname_disposition) && 0 === validate_file($tmpfname_disposition)) {
$tmpfname_disposition = dirname($tmpfname) . '/' . $tmpfname_disposition;
if (rename($tmpfname, $tmpfname_disposition)) {
$tmpfname = $tmpfname_disposition;
}
if ($tmpfname !== $tmpfname_disposition && file_exists($tmpfname_disposition)) {
unlink($tmpfname_disposition);
}
}
}
$content_md5 = wp_remote_retrieve_header($response, 'Content-MD5');
if ($content_md5) {
$md5_check = verify_file_md5($tmpfname, $content_md5);
if (is_wp_error($md5_check)) {
unlink($tmpfname);
return $md5_check;
}
}
// If the caller expects signature verification to occur, check to see if this URL supports it.
if ($signature_verification) {
/**
* Filters the list of hosts which should have Signature Verification attempted on.
*
* @since 5.2.0
*
* @param string[] $hostnames List of hostnames.
*/
$signed_hostnames = apply_filters('wp_signature_hosts', array('wordpress.org', 'downloads.wordpress.org', 's.w.org'));
$signature_verification = in_array(parse_url($url, PHP_URL_HOST), $signed_hostnames, true);
}
// Perform signature validation if supported.
if ($signature_verification) {
$signature = wp_remote_retrieve_header($response, 'X-Content-Signature');
if (!$signature) {
/*
* Retrieve signatures from a file if the header wasn't included.
* WordPress.org stores signatures at $package_url.sig.
*/
$signature_url = false;
if (is_string($url_path) && (str_ends_with($url_path, '.zip') || str_ends_with($url_path, '.tar.gz'))) {
$signature_url = str_replace($url_path, $url_path . '.sig', $url);
}
/**
* Filters the URL where the signature for a file is located.
*
* @since 5.2.0
*
* @param false|string $signature_url The URL where signatures can be found for a file, or false if none are known.
* @param string $url The URL being verified.
*/
$signature_url = apply_filters('wp_signature_url', $signature_url, $url);
if ($signature_url) {
$signature_request = wp_safe_remote_get($signature_url, array('limit_response_size' => 10 * KB_IN_BYTES));
if (!is_wp_error($signature_request) && 200 === wp_remote_retrieve_response_code($signature_request)) {
$signature = explode("\n", wp_remote_retrieve_body($signature_request));
}
}
}
// Perform the checks.
$signature_verification = verify_file_signature($tmpfname, $signature, $url_filename);
}
if (is_wp_error($signature_verification)) {
if (apply_filters('wp_signature_softfail', true, $url)) {
$signature_verification->add_data($tmpfname, 'softfail-filename');
} else {
// Hard-fail.
unlink($tmpfname);
}
return $signature_verification;
}
return $tmpfname;
}