Make WordPress Core

Opened 8 years ago

Closed 8 years ago

#34305 closed defect (bug) (maybelater)

Protect the `wp/v[0-9]*` namespace

Reported by: rachelbaker's profile rachelbaker Owned by: rmccue's profile rmccue
Milestone: Priority: normal
Severity: normal Version:
Component: REST API Keywords: dev-feedback needs-patch
Focuses: Cc:


Mentioned by @wonderboymusic during the weekly dev chat. Added here for continued discussion and tracking.

Initial discussion thread:

@azaozz Thoughtwp/* should be protected instead

Change History (7)

#1 @rmccue
8 years ago

We can probably protect these in register_rest_route, and require them to be registered via WP_REST_Server->register_route? Alternatively, maybe you have to pass _no_really_i_know_what_i_am_doing => true in the args.

Not sure how we protect this without locking the plugin out. We could check the backtrace and see if the caller was in the API plugin? ;)

This ticket was mentioned in Slack in #core-restapi by rachelbaker. View the logs.

8 years ago

#3 @rmccue
8 years ago

We discussed this in Slack. Our current thoughts are along the lines of: add a _builtin => true to our routes, and disallow (via _doing_it_wrong) registering routes under wp/v* without the flag.

Not entirely happy with the approach though. It doesn't solve the copypasta issue (if you copy-paste wp/v2, you'll probably copy-paste the _builtin bit too).

#4 @georgestephanis
8 years ago

Utter pedantism, but probably better to use [\d]+ instead of [0-9]* -- swapping * to + as I think there'd always be at least 1 digit?

#5 @wonderboymusic
8 years ago

  • Owner set to rmccue
  • Status changed from new to assigned

This ticket was mentioned in Slack in #core-restapi by rachelbaker. View the logs.

8 years ago

#7 @rmccue
8 years ago

  • Milestone 4.4 deleted
  • Resolution set to maybelater
  • Status changed from assigned to closed

Discussed briefly on Slack. Right now, this is more of a theoretical/academic concern than anything else; in the wild, we've not really seen people using the plugin and registering their own wp/v2/... routes. In addition, protecting this would mean we'd need to invent a way for our own plugin to get around it.

Let's close this off for now, and we'll reinvestigate once the endpoints are in core and we can truly call them _builtin or similar.

Note: See TracTickets for help on using tickets.