WordPress.org
Get WordPress

Make WordPress Core


Ignore:
Timestamp:
02/27/2025 11:17:38 PM (3 months ago)
Author:
peterwilsoncc
Message:

REST API: Exit gracefully for malformed URLs.

Exit gracefully for requests with a malformed rest_route query string parameter, ie anything that is not a string.

This prevents fatal errors from occurring with URLs such as example.com/?rest_route[]=array as the URL is user input so logging the data provides no benefit to developers as they are unable to resolve the issue.

Props geekofshire, dd32, timothyblynjacobs.
Fixes #62932.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/tests/phpunit/tests/rest-api.php

    r59457 r59886  
    25592559        $this->assertTrue( $registered );
    25602560    }
     2561
     2562    /**
     2563     * @ticket 62932
     2564     */
     2565    public function test_should_return_error_if_rest_route_not_string() {
     2566        global $wp;
     2567
     2568        $wp = new stdClass();
     2569
     2570        $wp->query_vars = array(
     2571            'rest_route' => array( 'invalid' ),
     2572        );
     2573
     2574        $this->expectException( WPDieException::class );
     2575
     2576        try {
     2577            rest_api_loaded();
     2578        } catch ( WPDieException $e ) {
     2579            $this->assertStringContainsString(
     2580                'The rest route parameter must be a string.',
     2581                $e->getMessage()
     2582            );
     2583            throw $e; // Re-throw to satisfy expectException
     2584        }
     2585    }
    25612586}
Note: See TracChangeset for help on using the changeset viewer.