WordPress.org

Make WordPress Core


Ignore:
Timestamp:
10/24/2017 09:04:50 PM (4 years ago)
Author:
joehoyle
Message:

REST API: Don’t remove unregistered properties from objects in schema.

In r41727 the ability to sanitise and validate objects from JSON schema was added, with a whitelist approach. It was decided we should pass through all non-registered properties to reflect the behaviour of the root object in register_rest_route. To prevent arbitrary extra data via setting objects, we force additionalProperties to false in the settings endpoint.

See #38583.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/rest-api.php

    r41744 r42000  
    11071107
    11081108        foreach ( $value as $property => $v ) {
    1109             if ( ! isset( $args['properties'][ $property ] ) ) {
    1110                 continue;
    1111             }
    1112             $is_valid = rest_validate_value_from_schema( $v, $args['properties'][ $property ], $param . '[' . $property . ']' );
    1113 
    1114             if ( is_wp_error( $is_valid ) ) {
    1115                 return $is_valid;
     1109            if ( isset( $args['properties'][ $property ] ) ) {
     1110                $is_valid = rest_validate_value_from_schema( $v, $args['properties'][ $property ], $param . '[' . $property . ']' );
     1111                if ( is_wp_error( $is_valid ) ) {
     1112                    return $is_valid;
     1113                }
     1114            } elseif ( isset( $args['additionalProperties'] ) && false === $args['additionalProperties'] ) {
     1115                return new WP_Error( 'rest_invalid_param', sprintf( __( '%1$s is not a valid property of Object.' ), $property ) );
    11161116            }
    11171117        }
     
    12471247
    12481248        foreach ( $value as $property => $v ) {
    1249             if ( ! isset( $args['properties'][ $property ] ) ) {
     1249            if ( isset( $args['properties'][ $property ] ) ) {
     1250                $value[ $property ] = rest_sanitize_value_from_schema( $v, $args['properties'][ $property ] );
     1251            } elseif ( isset( $args['additionalProperties'] ) && false === $args['additionalProperties'] ) {
    12501252                unset( $value[ $property ] );
    1251                 continue;
    12521253            }
    1253             $value[ $property ] = rest_sanitize_value_from_schema( $v, $args['properties'][ $property ] );
    12541254        }
    12551255
Note: See TracChangeset for help on using the changeset viewer.