Security researchers identified a moderate-level risk in an ICS Calendar function, which was patched in version 10.12.0.4. However, the patch introduced a new issue that prevented access to ICS feeds over an internal network — specifically, if the source calendar server’s URL resolved to an IP address in one of the private or reserved ranges.
An update in version 10.12.2 addresses this, via the WordPress core http_request_host_is_external filter.
Using this filter, site developers can write a function that defines a set of allowed hostnames, as such:
function my_http_request_host_is_external($external, $host, $url) {
$allowed_hosts = array(
'mail.example.com', // Add your allowed hosts to this array
);
if (in_array($host, $allowed_hosts)) { $external = true; }
return $external;
}
add_filter('http_request_host_is_external', 'my_http_request_host_is_external', 10, 3);This code can go in your theme’s functions.php file or in a custom plugin. (If you are using a pre-built theme, be sure not to edit the theme’s files directly, as the changes will get overwritten when the theme is updated. Use a child theme instead.)
This version of ICS Calendar also adds a few other changes to the ICS Feed URL Tester utility and the debugging tools, to enhance server data security even when this filter is used. I take security very seriously and want to be sure ICS Calendar is an effective and safe tool for its users.
—Scott