Changeset 39437 for branches/4.7

Timestamp:

12/02/2016 10:04:06 PM (9 years ago)

Author:

rachelbaker

Message:

REST API: Return a WP_Error if meta property is not an array.

Fixes bug where a PHP Warning is currently thrown if a client sends a request where meta is not an array value.

Merges [39436] onto 4.7 branch.

Props timmydcrawford, jnylen0, rachelbaker, pento.
Fixes #38989 for 4.7.

Location:

branches/4.7

Files:

• . (modified) (1 prop)
• src/wp-includes/rest-api/fields/class-wp-rest-meta-fields.php (modified) (6 diffs)
• tests/phpunit/tests/rest-api/rest-post-meta-fields.php (modified) (1 diff)

branches/4.7/src/wp-includes/rest-api/fields/class-wp-rest-meta-fields.php

@@ -118 +118 @@
      * @access public
      *
-     * @param WP_REST_Request $request   Full details about the request.
+     * @param array           $meta      Array of meta parsed from the request.
      * @param int             $object_id Object ID to fetch meta for.
      * @return WP_Error|null WP_Error if one occurs, null on success.
      */
-    public function update_value( $request, $object_id ) {
+    public function update_value( $meta, $object_id ) {
         $fields = $this->get_registered_fields();
         foreach ( $fields as $meta_key => $args ) {
             $name = $args['name'];
-            if ( ! array_key_exists( $name, $request ) ) {
+            if ( ! array_key_exists( $name, $meta ) ) {
                 continue;
             }
@@ -134 +134 @@
              * from the database and then relying on the default value.
              */
-            if ( is_null( $request[ $name ] ) ) {
+            if ( is_null( $meta[ $name ] ) ) {
                 $result = $this->delete_meta_value( $object_id, $meta_key, $name );
                 if ( is_wp_error( $result ) ) {
@@ -142 +142 @@
             }
 
-            $is_valid = rest_validate_value_from_schema( $request[ $name ], $args['schema'], 'meta.' . $name );
+            $is_valid = rest_validate_value_from_schema( $meta[ $name ], $args['schema'], 'meta.' . $name );
             if ( is_wp_error( $is_valid ) ) {
                 $is_valid->add_data( array( 'status' => 400 ) );
@@ -148 +148 @@
             }
 
-            $value = rest_sanitize_value_from_schema( $request[ $name ], $args['schema'] );
+            $value = rest_sanitize_value_from_schema( $meta[ $name ], $args['schema'] );
 
             if ( $args['single'] ) {
@@ -392 +392 @@
             'context'     => array( 'view', 'edit' ),
             'properties'  => array(),
+            'arg_options' => array(
+                'sanitize_callback' => null,
+                'validate_callback' => array( $this, 'check_meta_is_array' ),
+            ),
         );
 
@@ -445 +449 @@
         return $value;
     }
+
+    /**
+     * Check the 'meta' value of a request is an associative array.
+     *
+     * @since 4.7.0
+     * @access public
+     *
+     * @param  mixed           $value   The meta value submitted in the request.
+     * @param  WP_REST_Request $request Full details about the request.
+     * @param  string          $param   The parameter name.
+     * @return WP_Error|string The meta array, if valid, otherwise an error.
+     */
+    public function check_meta_is_array( $value, $request, $param ) {
+        if ( ! is_array( $value ) ) {
+            return false;
+        }
+
+        return $value;
+    }
 }

branches/4.7/tests/phpunit/tests/rest-api/rest-post-meta-fields.php

@@ -787 +787 @@
     }
 
+    /**
+     * @ticket 38989
+     */
+    public function test_set_value_invalid_meta_string_request_type() {
+        update_post_meta( self::$post_id, 'test_single', 'So I tied an onion to my belt, which was the style at the time.' );
+        $post_original = get_post( self::$post_id );
+
+        $this->grant_write_permission();
+
+        $data = array(
+            'title' => 'Ignore this title',
+            'meta'  => 'Not an array.',
+        );
+
+        $request = new WP_REST_Request( 'POST', sprintf( '/wp/v2/posts/%d', self::$post_id ) );
+        $request->set_body_params( $data );
+
+        $response = $this->server->dispatch( $request );
+
+        $this->assertErrorResponse( 'rest_invalid_param', $response, 400 );
+
+        // The meta value should not have changed.
+        $current_value = get_post_meta( self::$post_id, 'test_single', true );
+        $this->assertEquals( 'So I tied an onion to my belt, which was the style at the time.', $current_value );
+
+        // Ensure the post title update was not processed.
+        $post_updated = get_post( self::$post_id );
+        $this->assertEquals( $post_original->post_title, $post_updated->post_title );
+    }
+
+    /**
+     * @ticket 38989
+     */
+    public function test_set_value_invalid_meta_float_request_type() {
+        update_post_meta( self::$post_id, 'test_single', 'Now, to take the ferry cost a nickel, and in those days, nickels had pictures of bumblebees on them.' );
+        $post_original = get_post( self::$post_id );
+
+        $this->grant_write_permission();
+
+        $data = array(
+            'content' => 'Ignore this content.',
+            'meta'    => 1.234,
+        );
+
+        $request = new WP_REST_Request( 'POST', sprintf( '/wp/v2/posts/%d', self::$post_id ) );
+        $request->set_body_params( $data );
+
+        $response = $this->server->dispatch( $request );
+        $this->assertErrorResponse( 'rest_invalid_param', $response, 400 );
+
+        // The meta value should not have changed.
+        $current_value = get_post_meta( self::$post_id, 'test_single', true );
+        $this->assertEquals( 'Now, to take the ferry cost a nickel, and in those days, nickels had pictures of bumblebees on them.', $current_value );
+
+        // Ensure the post content update was not processed.
+        $post_updated = get_post( self::$post_id );
+        $this->assertEquals( $post_original->post_content, $post_updated->post_content );
+    }
+
     public function test_remove_multi_value_db_error() {
         add_post_meta( self::$post_id, 'test_multi', 'val1' );