WordPress.org
Get WordPress

Make WordPress Core

Opened 16 years ago

Closed 16 years ago

Last modified 4 days ago

#11015 closed enhancement (wontfix)

Admin Ajax actions should pass relevant global variables

Reported by: filosofo's profile filosofo Owned by: ryan's profile ryan
Milestone: Priority: normal
Severity: normal Version: 2.9
Component: JavaScript Keywords: admin-ajax has-patch
Focuses: Cc:

Description

The wp_ajax_* action hooks should pass the global $_REQUEST variable so that callbacks can reduce the number of global objects they have to be aware of and so that they can get the data in a state prior to being modified by anything else.

Attachments (1)

pass_request_vars.11015.diff (566 bytes) - added by filosofo 16 years ago.

Download all attachments as: .zip

Change History (7)

@filosofo
16 years ago

#1 @filosofo
16 years ago

  • Milestone changed from 3.0 to 2.9

Why not 2.9. It's simple and there are no backwards-compatibility issues. :-)

#2 follow-up: @azaozz
16 years ago

-1. Don't see the benefit in doing this. If you have a function that accepts data from different contexts, you would always want to filter what comes from $_REQUEST.

#3 in reply to: ↑ 2 @filosofo
16 years ago

Replying to azaozz:

-1. Don't see the benefit in doing this.

The benefit is

  • You don't have to access global objects in your callback
  • You can be agnostic about whether the "action" is from POST or GET.
  • Testing is more straightforward.
  • There's no harm.

This helps avoid having to check whether "action" is set in POST or GET, and it allows code reuse: I can use the same callback in different places.

#4 @westi
16 years ago

  • Milestone 2.9 deleted
  • Resolution set to wontfix
  • Status changed from new to closed

Strong -1

It should be obvious inside a function when you are accessing a superglobal.

Passing $_REQUEST as a argument hides the use of the superglobal in the function.

That makes it much easier to audit code and identify where user supplied data is/isnt being trusted.

This ticket was mentioned in PR #11100 on WordPress/wordpress-develop by @adamsilverstein.
6 days ago #5

## Summary

Builds on #11015. Adds dimension validation to the sideload endpoint.

  • Adds validate_image_dimensions() private method to WP_REST_Attachments_Controller
  • Validates uploaded image dimensions against expected size constraints in the wp/v2/media/<id>/sideload endpoint
  • Moves wp_getimagesize() call earlier in sideload_item() to validate before metadata handling

### Validation rules:

  • 'original' size: must match original attachment dimensions exactly
  • 'full' and 'scaled' sizes: requires positive dimensions only
  • Regular sizes: dimensions must not exceed registered size maximums (with 1px tolerance for rounding differences)

## Test plan

  • [x] test_sideload_item_rejects_oversized_dimensions — uploads 640x480 image as thumbnail (150x150), expects 400 with rest_upload_dimension_mismatch
  • [x] test_sideload_item_accepts_valid_dimensions — uploads 50x50 image as thumbnail, expects 200

Corresponding Gutenberg PR: https://github.com/WordPress/gutenberg/pull/74903

🤖 Generated with Claude Code

@adamsilverstein commented on PR #11100:
4 days ago #6

This worked well in my manual testing.

Note: See TracTickets for help on using tickets.