From: Markus Koschany <apo@debian.org>
Date: Fri, 16 Sep 2016 16:43:45 +0200
Subject: CVE-2016-4029

WordPress before 4.5 does not consider octal and hexadecimal IP address formats
when determining an intranet address, which allows remote attackers to bypass
an intended SSRF protection mechanism via a crafted address.

https://codex.wordpress.org/Version_4.5
See also https://wpvulndb.com/vulnerabilities/8473

Origin: https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049
---
 wp-includes/http.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/wp-includes/http.php
+++ b/wp-includes/http.php
@@ -466,7 +466,7 @@
 
 	if ( ! $same_host ) {
 		$host = trim( $parsed_url['host'], '.' );
-		if ( preg_match( '#^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$#', $host ) ) {
+		if ( preg_match( '#^(([1-9]?\d|1\d\d|25[0-5]|2[0-4]\d)\.){3}([1-9]?\d|1\d\d|25[0-5]|2[0-4]\d)$#', $host ) ) {
 			$ip = $host;
 		} else {
 			$ip = gethostbyname( $host );