From 8d0cf43844a532b3fd8b9afa2319c90246b21730 Mon Sep 17 00:00:00 2001
From: Zack Tollman <tollmanz@gmail.com>
Date: Tue, 31 Mar 2015 21:46:46 -0700
Subject: [PATCH] Only check domain when assessing secure variant.

It is possible that issuing a request to a resource could pose a
security threat. To mitigate this concern, the secure variant checks
will only request against the root domain. The path and query vars are
stripped off before making the request.
---
 src/helpers.php | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/src/helpers.php b/src/helpers.php
index 63bca0f..18ee51f 100644
--- a/src/helpers.php
+++ b/src/helpers.php
@@ -219,11 +219,24 @@ function mcd_remove_violation( $id ) {
  * @return bool              True if URI is connectable; false if it is not.
  */
 function mcd_is_valid_uri( $uri ) {
+	$pieces = parse_url( $uri );
+
+	if ( ! isset( $pieces['host'] ) ) {
+		return false;
+	}
+
+	// Piece the domain back together
+	$uri  = $pieces['host'];
+	$uri .= ( isset( $pieces['port'] ) ) ? ':' . absint( $pieces['port'] ) : '';
+
+	// Add the scheme
+	$uri = 'https://' . $uri;
+
 	$response = wp_remote_get( $uri, array(
 		/**
 		 * Do a HEAD request for efficiency.
 		 */
-		'method'      => 'HEAD',
+		'method' => 'HEAD',
 
 		/**
 		 * HEAD requests will not redirect by default. It is important that redirection works in case the
@@ -251,8 +264,7 @@ function mcd_is_valid_uri( $uri ) {
  * @return bool              True if URI is connectable; false if it is not.
  */
 function mcd_uri_has_secure_version( $uri ) {
-	$https_uri = set_url_scheme( $uri, 'https' );
-	return mcd_is_valid_uri( $https_uri );
+	return mcd_is_valid_uri( $uri );
 }
 endif;