WordPress.org

Make WordPress Core

Changeset 37163


Ignore:
Timestamp:
04/06/2016 09:01:11 PM (5 years ago)
Author:
markjaquith
Message:

REST API: Deliver parameters unadulterated instead of slashed.

We goofed, and parameters accessed through the REST API's methods
were slashed (inconsistently, even). This unslashes the data, so
you get the un-messed-with data that was sent.

Props joehoyle.
Fixes #36419.

Location:
trunk
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/rest-api/class-wp-rest-server.php

    r37041 r37163  
    304304        $request = new WP_REST_Request( $_SERVER['REQUEST_METHOD'], $path );
    305305
    306         $request->set_query_params( $_GET );
    307         $request->set_body_params( $_POST );
     306        $request->set_query_params( wp_unslash( $_GET ) );
     307        $request->set_body_params( wp_unslash( $_POST ) );
    308308        $request->set_file_params( $_FILES );
    309         $request->set_headers( $this->get_headers( $_SERVER ) );
     309        $request->set_headers( $this->get_headers( wp_unslash( $_SERVER ) ) );
    310310        $request->set_body( $this->get_raw_data() );
    311311
  • trunk/tests/phpunit/includes/spy-rest-server.php

    r35773 r37163  
    55    public $sent_headers = array();
    66    public $sent_body = '';
     7    public $last_request = null;
    78
    89    /**
     
    3031    }
    3132
     33    /**
     34     * Override the dispatch method so we can get a handle on the request object.
     35     *
     36     * @param  WP_REST_Request $request
     37     * @return WP_REST_Response Response returned by the callback.
     38     */
     39    public function dispatch( $request ) {
     40        $this->last_request = $request;
     41        return parent::dispatch( $request );
     42    }
     43
    3244    public function serve_request( $path = null ) {
    3345
  • trunk/tests/phpunit/tests/rest-api/rest-server.php

    r37031 r37163  
    744744    }
    745745
     746    public function test_serve_request_url_params_are_unslashed() {
     747
     748        $this->server->register_route( 'test', '/test/(?P<data>.*)', array(
     749            array(
     750                'methods'  => WP_REST_Server::READABLE,
     751                'callback' => '__return_false',
     752                'args'     => array(
     753                    'data' => array(),
     754                ),
     755            ),
     756        ) );
     757
     758        $result = $this->server->serve_request( '/test/data\\with\\slashes' );
     759        $url_params = $this->server->last_request->get_url_params();
     760        $this->assertEquals( 'data\\with\\slashes', $url_params['data'] );
     761    }
     762
     763    public function test_serve_request_query_params_are_unslashed() {
     764
     765        $this->server->register_route( 'test', '/test', array(
     766            array(
     767                'methods'  => WP_REST_Server::READABLE,
     768                'callback' => '__return_false',
     769                'args'     => array(
     770                    'data' => array(),
     771                ),
     772            ),
     773        ) );
     774
     775        // WordPress internally will slash the superglobals on bootstrap
     776        $_GET = wp_slash( array(
     777            'data' => 'data\\with\\slashes',
     778        ) );
     779
     780        $result = $this->server->serve_request( '/test' );
     781        $query_params = $this->server->last_request->get_query_params();
     782        $this->assertEquals( 'data\\with\\slashes', $query_params['data'] );
     783    }
     784
     785    public function test_serve_request_body_params_are_unslashed() {
     786
     787        $this->server->register_route( 'test', '/test', array(
     788            array(
     789                'methods'  => WP_REST_Server::READABLE,
     790                'callback' => '__return_false',
     791                'args'     => array(
     792                    'data' => array(),
     793                ),
     794            ),
     795        ) );
     796
     797        // WordPress internally will slash the superglobals on bootstrap
     798        $_POST = wp_slash( array(
     799            'data' => 'data\\with\\slashes',
     800        ) );
     801
     802        $result = $this->server->serve_request( '/test/data' );
     803
     804        $body_params = $this->server->last_request->get_body_params();
     805        $this->assertEquals( 'data\\with\\slashes', $body_params['data'] );
     806    }
     807
     808    public function test_serve_request_json_params_are_unslashed() {
     809
     810        $this->server->register_route( 'test', '/test', array(
     811            array(
     812                'methods'  => WP_REST_Server::READABLE,
     813                'callback' => '__return_false',
     814                'args'     => array(
     815                    'data' => array(),
     816                ),
     817            ),
     818        ) );
     819
     820        $_SERVER['HTTP_CONTENT_TYPE'] = 'application/json';
     821        $GLOBALS['HTTP_RAW_POST_DATA'] = json_encode( array(
     822            'data' => 'data\\with\\slashes',
     823        ) );
     824
     825        $result = $this->server->serve_request( '/test' );
     826        $json_params = $this->server->last_request->get_json_params();
     827        $this->assertEquals( 'data\\with\\slashes', $json_params['data'] );
     828    }
     829
     830    public function test_serve_request_file_params_are_unslashed() {
     831
     832        $this->server->register_route( 'test', '/test', array(
     833            array(
     834                'methods'  => WP_REST_Server::READABLE,
     835                'callback' => '__return_false',
     836                'args'     => array(
     837                    'data' => array(),
     838                ),
     839            ),
     840        ) );
     841
     842        // WordPress internally will slash the superglobals on bootstrap
     843        $_FILES = array(
     844            'data' => array(
     845                'name' => 'data\\with\\slashes',
     846            ),
     847        );
     848
     849        $result = $this->server->serve_request( '/test/data\\with\\slashes' );
     850        $file_params = $this->server->last_request->get_file_params();
     851        $this->assertEquals( 'data\\with\\slashes', $file_params['data']['name'] );
     852    }
     853
     854    public function test_serve_request_headers_are_unslashed() {
     855
     856        $this->server->register_route( 'test', '/test', array(
     857            array(
     858                'methods'  => WP_REST_Server::READABLE,
     859                'callback' => '__return_false',
     860                'args'     => array(
     861                    'data' => array(),
     862                ),
     863            ),
     864        ) );
     865
     866        // WordPress internally will slash the superglobals on bootstrap
     867        $_SERVER['HTTP_X_MY_HEADER'] = wp_slash( 'data\\with\\slashes' );
     868
     869        $result = $this->server->serve_request( '/test/data\\with\\slashes' );
     870        $this->assertEquals( 'data\\with\\slashes', $this->server->last_request->get_header( 'x_my_header') );
     871    }
     872
    746873    public function filter_wp_rest_server_class() {
    747874        return 'Spy_REST_Server';
Note: See TracChangeset for help on using the changeset viewer.