Changeset 39219 for trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php

Timestamp:

11/14/2016 07:12:31 AM (7 years ago)

Author:

rmccue

Message:

REST API: Improve validation for usernames and passwords.

Also improves the slashing of user data in the REST API to avoid data loss.

Props jnylen0.
Fixes #38739.

File:

• trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php (modified) (8 diffs)

trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php

@@ -418 +418 @@
 
             if ( is_wp_error( $ret['errors'] ) && ! empty( $ret['errors']->errors ) ) {
-                return $ret['errors'];
+                $error = new WP_Error( 'rest_invalid_param', __( 'Invalid user parameter(s).' ), array( 'status' => 400 ) );
+                foreach ( $ret['errors']->errors as $code => $messages ) {
+                    foreach ( $messages as $message ) {
+                        $error->add( $code, $message );
+                    }
+                    if ( $error_data = $error->get_error_data( $code ) ) {
+                        $error->add_data( $error_data, $code );
+                    }
+                }
+                return $error;
             }
         }
@@ -430 +439 @@
 
             $user->ID = $user_id;
-            $user_id  = wp_update_user( $user );
+            $user_id  = wp_update_user( wp_slash( (array) $user ) );
 
             if ( is_wp_error( $user_id ) ) {
@@ -438 +447 @@
             add_user_to_blog( get_site()->id, $user_id, '' );
         } else {
-            $user_id = wp_insert_user( $user );
+            $user_id = wp_insert_user( wp_slash( (array) $user ) );
 
             if ( is_wp_error( $user_id ) ) {
@@ -553 +562 @@
         $user->ID = $id;
 
-        $user_id = wp_update_user( $user );
+        $user_id = wp_update_user( wp_slash( (array) $user ) );
 
         if ( is_wp_error( $user_id ) ) {
@@ -995 +1004 @@
 
         return true;
+    }
+
+    /**
+     * Check a username for the REST API.
+     *
+     * Performs a couple of checks like edit_user() in wp-admin/includes/user.php.
+     *
+     * @since 4.7.0
+     *
+     * @param  mixed            $value   The username submitted in the request.
+     * @param  WP_REST_Request  $request Full details about the request.
+     * @param  string           $param   The parameter name.
+     * @return WP_Error|string The sanitized username, if valid, otherwise an error.
+     */
+    public function check_username( $value, $request, $param ) {
+        $username = (string) rest_sanitize_value_from_schema( $value, $request, $param );
+
+        if ( ! validate_username( $username ) ) {
+            return new WP_Error( 'rest_user_invalid_username', __( 'Username contains invalid characters.' ), array( 'status' => 400 ) );
+        }
+
+        /** This filter is documented in wp-includes/user.php */
+        $illegal_logins = (array) apply_filters( 'illegal_user_logins', array() );
+
+        if ( in_array( strtolower( $username ), array_map( 'strtolower', $illegal_logins ) ) ) {
+            return new WP_Error( 'rest_user_invalid_username', __( 'Sorry, that username is not allowed.' ), array( 'status' => 400 ) );
+        }
+
+        return $username;
+    }
+
+    /**
+     * Check a user password for the REST API.
+     *
+     * Performs a couple of checks like edit_user() in wp-admin/includes/user.php.
+     *
+     * @since 4.7.0
+     *
+     * @param  mixed            $value   The password submitted in the request.
+     * @param  WP_REST_Request  $request Full details about the request.
+     * @param  string           $param   The parameter name.
+     * @return WP_Error|string The sanitized password, if valid, otherwise an error.
+     */
+    public function check_user_password( $value, $request, $param ) {
+        $password = (string) rest_sanitize_value_from_schema( $value, $request, $param );
+
+        if ( empty( $password ) ) {
+            return new WP_Error( 'rest_user_invalid_password', __( 'Passwords cannot be empty.' ), array( 'status' => 400 ) );
+        }
+
+        if ( false !== strpos( $password, "\\" ) ) {
+            return new WP_Error( 'rest_user_invalid_password', __( 'Passwords cannot contain the "\\" character.' ), array( 'status' => 400 ) );
+        }
+
+        return $password;
     }
 
@@ -1023 +1087 @@
                     'required'    => true,
                     'arg_options' => array(
-                        'sanitize_callback' => 'sanitize_user',
+                        'sanitize_callback' => array( $this, 'check_username' ),
                     ),
                 ),
@@ -1067 +1131 @@
                     'type'        => 'string',
                     'context'     => array( 'embed', 'view', 'edit' ),
-                    'arg_options' => array(
-                        'sanitize_callback' => 'wp_filter_post_kses',
-                    ),
                 ),
                 'link'        => array(
@@ -1120 +1181 @@
                     'context'     => array(), // Password is never displayed.
                     'required'    => true,
+                    'arg_options' => array(
+                        'sanitize_callback' => array( $this, 'check_user_password' ),
+                    ),
                 ),
                 'capabilities'    => array(