Make WordPress Core

Changeset 56834 for trunk


Ignore:
Timestamp:
10/12/2023 12:29:18 PM (8 months ago)
Author:
jorbin
Message:

REST API: Ensure no-cache headers are sent when methods are ovverriden.

Props tykoted, xknown, ehtis, timothyblynjacobs, peterwilsoncc, rmccue, jorbin.

Location:
trunk/src/wp-includes
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/rest-api.php

    r56819 r56834  
    10911091
    10921092    if ( ! $result ) {
     1093        add_filter( 'rest_send_nocache_headers', '__return_true', 20 );
    10931094        return new WP_Error( 'rest_cookie_invalid_nonce', __( 'Cookie check failed' ), array( 'status' => 403 ) );
    10941095    }
  • trunk/src/wp-includes/rest-api/class-wp-rest-server.php

    r56645 r56834  
    324324
    325325        /**
    326          * Filters whether to send nocache headers on a REST API request.
    327          *
    328          * @since 4.4.0
    329          *
    330          * @param bool $rest_send_nocache_headers Whether to send no-cache headers.
    331          */
    332         $send_no_cache_headers = apply_filters( 'rest_send_nocache_headers', is_user_logged_in() );
    333         if ( $send_no_cache_headers ) {
    334             foreach ( wp_get_nocache_headers() as $header => $header_value ) {
    335                 if ( empty( $header_value ) ) {
    336                     $this->remove_header( $header );
    337                 } else {
    338                     $this->send_header( $header, $header_value );
    339                 }
    340             }
    341         }
    342 
    343         /**
    344326         * Filters whether the REST API is enabled.
    345327         *
     
    395377         * header.
    396378         */
     379        $method_overridden = false;
    397380        if ( isset( $_GET['_method'] ) ) {
    398381            $request->set_method( $_GET['_method'] );
    399382        } elseif ( isset( $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'] ) ) {
    400383            $request->set_method( $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'] );
     384            $method_overridden = true;
    401385        }
    402386
     
    498482         */
    499483        $served = apply_filters( 'rest_pre_serve_request', false, $result, $request, $this );
     484
     485        /**
     486         * Filters whether to send nocache headers on a REST API request.
     487         *
     488         * @since 4.4.0
     489         * @since 6.3.2 Moved the block to catch the filter added on rest_cookie_check_errors() from rest-api.php
     490         *
     491         * @param bool $rest_send_nocache_headers Whether to send no-cache headers.
     492         */
     493        $send_no_cache_headers = apply_filters( 'rest_send_nocache_headers', is_user_logged_in() );
     494
     495        // send no cache headers if the $send_no_cache_headers is true
     496        // OR if the HTTP_X_HTTP_METHOD_OVERRIDE is used but resulted a 4x response code.
     497        if ( $send_no_cache_headers || ( true === $method_overridden && strpos( $code, '4' ) === 0 ) ) {
     498            foreach ( wp_get_nocache_headers() as $header => $header_value ) {
     499                if ( empty( $header_value ) ) {
     500                    $this->remove_header( $header );
     501                } else {
     502                    $this->send_header( $header, $header_value );
     503                }
     504            }
     505        }
    500506
    501507        if ( ! $served ) {
Note: See TracChangeset for help on using the changeset viewer.