Changeset 56864 for branches/4.8/src/wp-includes/rest-api/class-wp-rest-server.php

Timestamp:

10/12/2023 02:50:31 PM (2 years ago)

Author:

davidbaumwald

Message:

Grouped backports to the 4.8 branch.

• Comments: Prevent users who can not see a post from seeing comments on it.
• Shortcodes: Restrict media shortcode ajax to certain type.
• REST API: Ensure no-cache headers are sent when methods are overridden.
• REST API: Limit search_columns for users without list_users.
• Prevent unintended behavior when certain objects are unserialized.

Merges [56834], [56835], [56836], [56838], and [56840] to the 4.8 branch.
Props xknown, jorbin, joehoyle, timothyblynjacobs, peterwilsoncc, ehtis, tykoted, antpb, rmccue.

File:

• branches/4.8/src/wp-includes/rest-api/class-wp-rest-server.php (modified) (2 diffs)

branches/4.8/src/wp-includes/rest-api/class-wp-rest-server.php

@@ -244 +244 @@
 
         /**
-         * Send nocache headers on authenticated requests.
+         * Filters whether the REST API is enabled.
          *
          * @since 4.4.0
+         * @deprecated 4.7.0 Use the rest_authentication_errors filter to restrict access to the API
+         *
+         * @param bool $rest_enabled Whether the REST API is enabled. Default true.
+         */
+        apply_filters_deprecated( 'rest_enabled', array( true ), '4.7.0', 'rest_authentication_errors',
+            __( 'The REST API can no longer be completely disabled, the rest_authentication_errors filter can be used to restrict access to the API, instead.' )
+        );
+
+        /**
+         * Filters whether jsonp is enabled.
+         *
+         * @since 4.4.0
+         *
+         * @param bool $jsonp_enabled Whether jsonp is enabled. Default true.
+         */
+        $jsonp_enabled = apply_filters( 'rest_jsonp_enabled', true );
+
+        $jsonp_callback = null;
+
+        if ( isset( $_GET['_jsonp'] ) ) {
+            if ( ! $jsonp_enabled ) {
+                echo $this->json_error( 'rest_callback_disabled', __( 'JSONP support is disabled on this site.' ), 400 );
+                return false;
+            }
+
+            $jsonp_callback = $_GET['_jsonp'];
+            if ( ! wp_check_jsonp_callback( $jsonp_callback ) ) {
+                echo $this->json_error( 'rest_callback_invalid', __( 'Invalid JSONP callback function.' ), 400 );
+                return false;
+            }
+        }
+
+        if ( empty( $path ) ) {
+            if ( isset( $_SERVER['PATH_INFO'] ) ) {
+                $path = $_SERVER['PATH_INFO'];
+            } else {
+                $path = '/';
+            }
+        }
+
+        $request = new WP_REST_Request( $_SERVER['REQUEST_METHOD'], $path );
+
+        $request->set_query_params( wp_unslash( $_GET ) );
+        $request->set_body_params( wp_unslash( $_POST ) );
+        $request->set_file_params( $_FILES );
+        $request->set_headers( $this->get_headers( wp_unslash( $_SERVER ) ) );
+        $request->set_body( $this->get_raw_data() );
+
+        /*
+         * HTTP method override for clients that can't use PUT/PATCH/DELETE. First, we check
+         * $_GET['_method']. If that is not set, we check for the HTTP_X_HTTP_METHOD_OVERRIDE
+         * header.
+         */
+        $method_overridden = false;
+        if ( isset( $_GET['_method'] ) ) {
+            $request->set_method( $_GET['_method'] );
+        } elseif ( isset( $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'] ) ) {
+            $request->set_method( $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'] );
+            $method_overridden = true;
+        }
+
+        $result = $this->check_authentication();
+
+        if ( ! is_wp_error( $result ) ) {
+            $result = $this->dispatch( $request );
+        }
+
+        // Normalize to either WP_Error or WP_REST_Response...
+        $result = rest_ensure_response( $result );
+
+        // ...then convert WP_Error across.
+        if ( is_wp_error( $result ) ) {
+            $result = $this->error_to_response( $result );
+        }
+
+        /**
+         * Filters the API response.
+         *
+         * Allows modification of the response before returning.
+         *
+         * @since 4.4.0
+         * @since 4.5.0 Applied to embedded responses.
+         *
+         * @param WP_HTTP_Response $result  Result to send to the client. Usually a WP_REST_Response.
+         * @param WP_REST_Server   $this    Server instance.
+         * @param WP_REST_Request  $request Request used to generate the response.
+         */
+        $result = apply_filters( 'rest_post_dispatch', rest_ensure_response( $result ), $this, $request );
+
+        // Wrap the response in an envelope if asked for.
+        if ( isset( $_GET['_envelope'] ) ) {
+            $result = $this->envelope_response( $result, isset( $_GET['_embed'] ) );
+        }
+
+        // Send extra data from response objects.
+        $headers = $result->get_headers();
+        $this->send_headers( $headers );
+
+        $code = $result->get_status();
+        $this->set_status( $code );
+
+        /**
+         * Filters whether the request has already been served.
+         *
+         * Allow sending the request manually - by returning true, the API result
+         * will not be sent to the client.
+         *
+         * @since 4.4.0
+         *
+         * @param bool             $served  Whether the request has already been served.
+         *                                           Default false.
+         * @param WP_HTTP_Response $result  Result to send to the client. Usually a WP_REST_Response.
+         * @param WP_REST_Request  $request Request used to generate the response.
+         * @param WP_REST_Server   $this    Server instance.
+         */
+        $served = apply_filters( 'rest_pre_serve_request', false, $result, $request, $this );
+
+        /**
+         * Filters whether to send nocache headers on a REST API request.
+         *
+         * @since 4.4.0
+         * @since 6.x.x Moved the block to catch the filter added on rest_cookie_check_errors() from rest-api.php
          *
          * @param bool $rest_send_nocache_headers Whether to send no-cache headers.
          */
         $send_no_cache_headers = apply_filters( 'rest_send_nocache_headers', is_user_logged_in() );
-        if ( $send_no_cache_headers ) {
+
+        // send no cache headers if the $send_no_cache_headers is true
+        // OR if the HTTP_X_HTTP_METHOD_OVERRIDE is used but resulted a 4xx response code.
+        if ( $send_no_cache_headers || ( true === $method_overridden && strpos( $code, '4' ) === 0 ) ) {
             foreach ( wp_get_nocache_headers() as $header => $header_value ) {
                 if ( empty( $header_value ) ) {
@@ -260 +385 @@
             }
         }
-
-        /**
-         * Filters whether the REST API is enabled.
-         *
-         * @since 4.4.0
-         * @deprecated 4.7.0 Use the rest_authentication_errors filter to restrict access to the API
-         *
-         * @param bool $rest_enabled Whether the REST API is enabled. Default true.
-         */
-        apply_filters_deprecated( 'rest_enabled', array( true ), '4.7.0', 'rest_authentication_errors',
-            __( 'The REST API can no longer be completely disabled, the rest_authentication_errors filter can be used to restrict access to the API, instead.' )
-        );
-
-        /**
-         * Filters whether jsonp is enabled.
-         *
-         * @since 4.4.0
-         *
-         * @param bool $jsonp_enabled Whether jsonp is enabled. Default true.
-         */
-        $jsonp_enabled = apply_filters( 'rest_jsonp_enabled', true );
-
-        $jsonp_callback = null;
-
-        if ( isset( $_GET['_jsonp'] ) ) {
-            if ( ! $jsonp_enabled ) {
-                echo $this->json_error( 'rest_callback_disabled', __( 'JSONP support is disabled on this site.' ), 400 );
-                return false;
-            }
-
-            $jsonp_callback = $_GET['_jsonp'];
-            if ( ! wp_check_jsonp_callback( $jsonp_callback ) ) {
-                echo $this->json_error( 'rest_callback_invalid', __( 'Invalid JSONP callback function.' ), 400 );
-                return false;
-            }
-        }
-
-        if ( empty( $path ) ) {
-            if ( isset( $_SERVER['PATH_INFO'] ) ) {
-                $path = $_SERVER['PATH_INFO'];
-            } else {
-                $path = '/';
-            }
-        }
-
-        $request = new WP_REST_Request( $_SERVER['REQUEST_METHOD'], $path );
-
-        $request->set_query_params( wp_unslash( $_GET ) );
-        $request->set_body_params( wp_unslash( $_POST ) );
-        $request->set_file_params( $_FILES );
-        $request->set_headers( $this->get_headers( wp_unslash( $_SERVER ) ) );
-        $request->set_body( $this->get_raw_data() );
-
-        /*
-         * HTTP method override for clients that can't use PUT/PATCH/DELETE. First, we check
-         * $_GET['_method']. If that is not set, we check for the HTTP_X_HTTP_METHOD_OVERRIDE
-         * header.
-         */
-        if ( isset( $_GET['_method'] ) ) {
-            $request->set_method( $_GET['_method'] );
-        } elseif ( isset( $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'] ) ) {
-            $request->set_method( $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'] );
-        }
-
-        $result = $this->check_authentication();
-
-        if ( ! is_wp_error( $result ) ) {
-            $result = $this->dispatch( $request );
-        }
-
-        // Normalize to either WP_Error or WP_REST_Response...
-        $result = rest_ensure_response( $result );
-
-        // ...then convert WP_Error across.
-        if ( is_wp_error( $result ) ) {
-            $result = $this->error_to_response( $result );
-        }
-
-        /**
-         * Filters the API response.
-         *
-         * Allows modification of the response before returning.
-         *
-         * @since 4.4.0
-         * @since 4.5.0 Applied to embedded responses.
-         *
-         * @param WP_HTTP_Response $result  Result to send to the client. Usually a WP_REST_Response.
-         * @param WP_REST_Server   $this    Server instance.
-         * @param WP_REST_Request  $request Request used to generate the response.
-         */
-        $result = apply_filters( 'rest_post_dispatch', rest_ensure_response( $result ), $this, $request );
-
-        // Wrap the response in an envelope if asked for.
-        if ( isset( $_GET['_envelope'] ) ) {
-            $result = $this->envelope_response( $result, isset( $_GET['_embed'] ) );
-        }
-
-        // Send extra data from response objects.
-        $headers = $result->get_headers();
-        $this->send_headers( $headers );
-
-        $code = $result->get_status();
-        $this->set_status( $code );
-
-        /**
-         * Filters whether the request has already been served.
-         *
-         * Allow sending the request manually - by returning true, the API result
-         * will not be sent to the client.
-         *
-         * @since 4.4.0
-         *
-         * @param bool             $served  Whether the request has already been served.
-         *                                           Default false.
-         * @param WP_HTTP_Response $result  Result to send to the client. Usually a WP_REST_Response.
-         * @param WP_REST_Request  $request Request used to generate the response.
-         * @param WP_REST_Server   $this    Server instance.
-         */
-        $served = apply_filters( 'rest_pre_serve_request', false, $result, $request, $this );
 
         if ( ! $served ) {