when shell env includes https_proxy, wp core check-update fails without php-curl installed #292
Description
Bug Report
- [✅] Yes, I reviewed the contribution guidelines.
- [✅] Yes, more specifically, I reviewed the guidelines on how to write clear bug reports.
Describe the current, buggy behavior
wp-cli seems to honor http_proxy and/or https_proxy shell environment variables properly only when php-curl is installed, but when using the fallback fsockopen transport of Requests, wp core check-update and wp core download --force fail in misleading fashion, leading to the possible mistaken conclusion that the current install is up to date.
Here is a shell session on a host that must use a proxy to reach the public internet and that does not have php-curl installed:
$ curl -s https://api.wordpress.org/core/version-check/1.7/?locale=en_US | jq . |head -n 20 { "offers": [ { "response": "upgrade", "download": "https://downloads.wordpress.org/release/wordpress-6.8.3.zip", "locale": "en_US", "packages": { "full": "https://downloads.wordpress.org/release/wordpress-6.8.3.zip", "no_content": "https://downloads.wordpress.org/release/wordpress-6.8.3-no-content.zip", "new_bundled": "https://downloads.wordpress.org/release/wordpress-6.8.3-new-bundled.zip", "partial": false, "rollback": false }, "current": "6.8.3", "version": "6.8.3", "php_version": "7.2.24", "mysql_version": "5.5.5", "new_bundled": "6.7", "partial_version": false }, $ wp core version 6.8.2 $ wp core check-update Success: WordPress is at the latest version. $ wp core download --force Error: RuntimeException: Failed to get url 'https://api.wordpress.org/core/version-check/1.7/?locale=en_US': stream_socket_client(): Unable to connect to ssl://api.wordpress.org:443 (Connection timed out). Now let's try again after installing php-curl:
$ dpkg -l |grep "php.*curl" ii php8.2-curl 8.2.29-1~deb12u1 amd64 CURL module for PHP $ wp core check-update +---------+-------------+-----------------------------------------------------------------------+ | version | update_type | package_url | +---------+-------------+-----------------------------------------------------------------------+ | 6.8.3 | minor | https://downloads.wordpress.org/release/wordpress-6.8.3-partial-2.zip | +---------+-------------+-----------------------------------------------------------------------+ Steps to replicate
- Create a container or VM (let's call it internal.example.org) that must use a proxy of the form http://proxy.example.org:3128 to reach the public Internet.
- Confirm access to public resources, specifically the URL https://api.wordpress.org/core/version-check/1.7/?locale=en_US with a tool such as curl.
- install the most recent vulnerable version of wordpress on internal.example.org
- confirm WP install is reachable locally
- attempt both
wp core check-updateandwp core download --forceon internal.example.org
Describe what you would expect as the correct outcome
I would expect both check-update and download --force to correctly identify the existence of a new minor or major version. Failing that, I would expect both to give a cogent error.
Multiple possible approaches could be pursued, including tests both for the availability of curl and the presence of proxy environment variables, but the present defaults present an ugly tripping hazard.
Environment where this error occurs
$ wp --info OS: Linux 6.1.0-40-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.153-1 (2025-09-20) x86_64 Shell: /bin/bash PHP binary: /usr/bin/php8.2 PHP version: 8.2.29 php.ini used: /etc/php/8.2/cli/php.ini MySQL binary: /usr/bin/mariadb MySQL version: mariadb Ver 15.1 Distrib 10.11.14-MariaDB, for debian-linux-gnu (x86_64) using EditLine wrapper SQL modes: WP-CLI root dir: phar://wp-cli.phar/vendor/wp-cli/wp-cli WP-CLI vendor dir: phar://wp-cli.phar/vendor WP_CLI phar path: phar:///usr/local/bin/wp WP-CLI packages dir: WP-CLI cache dir: /localhome/phptest/.wp-cli/cache WP-CLI global config: WP-CLI project config: WP-CLI version: 2.12.0 Additional context
Similar error to wp-cli/checksum-command#93