Changeset 59886

Timestamp:

02/27/2025 11:17:38 PM (8 hours ago)

Author:

peterwilsoncc

Message:

REST API: Exit gracefully for malformed URLs.

Exit gracefully for requests with a malformed rest_route query string parameter, ie anything that is not a string.

This prevents fatal errors from occurring with URLs such as example.com/?rest_route[]=array as the URL is user input so logging the data provides no benefit to developers as they are unable to resolve the issue.

Props geekofshire, dd32, timothyblynjacobs.
Fixes #62932.

Location:

trunk

Files:

• src/wp-includes/rest-api.php (modified) (1 diff)
• tests/phpunit/tests/rest-api.php (modified) (1 diff)

trunk/src/wp-includes/rest-api.php

@@ -431 +431 @@
     }
 
+    // Return an error message if query_var is not a string.
+    if ( ! is_string( $GLOBALS['wp']->query_vars['rest_route'] ) ) {
+        $rest_type_error = new WP_Error(
+            'rest_path_invalid_type',
+            __( 'The rest route parameter must be a string.' ),
+            array( 'status' => 400 )
+        );
+        wp_die( $rest_type_error );
+    }
+
     /**
      * Whether this is a REST Request.

trunk/tests/phpunit/tests/rest-api.php

@@ -2559 +2559 @@
         $this->assertTrue( $registered );
     }
+
+    /**
+     * @ticket 62932
+     */
+    public function test_should_return_error_if_rest_route_not_string() {
+        global $wp;
+
+        $wp = new stdClass();
+
+        $wp->query_vars = array(
+            'rest_route' => array( 'invalid' ),
+        );
+
+        $this->expectException( WPDieException::class );
+
+        try {
+            rest_api_loaded();
+        } catch ( WPDieException $e ) {
+            $this->assertStringContainsString(
+                'The rest route parameter must be a string.',
+                $e->getMessage()
+            );
+            throw $e; // Re-throw to satisfy expectException
+        }
+    }
 }