WordPress.org

Make WordPress Core

Opened 6 months ago

Closed 6 months ago

#38417 closed defect (bug) (fixed)

Post status enum is ignored in collection params, allowing invalid values

Reported by: joehoyle Owned by: joehoyle
Milestone: 4.7 Priority: normal
Severity: normal Version:
Component: REST API Keywords: dev-feedback
Focuses: Cc:

Description

Originally reported at https://github.com/WP-API/WP-API/issues/2889, currently the post status in /wp/v2/posts?status=invalid does not throw an error and is passed to WP_Query, resulting in all post statuses being returned.

Note: this does not affect unauthenticated users, as we whitelist those types, so there's no permissions / information disclosure here.

Proposed fix in https://github.com/danielbachhuber/wordpress-develop/pull/4

cc @rmccue

Attachments (1)

38417.diff (697 bytes) - added by jeremyfelt 6 months ago.

Download all attachments as: .zip

Change History (6)

#1 @wkwalrath
6 months ago

Want to add a bit more background to this. Discussion started in this bit of Slack channel history: https://wordpress.slack.com/archives/core-restapi/p1476975790009158.

I reported getting weird results from authenticated API requests using query param status=publish,draft.
@joehoyle determined:

I was able to reproduce I think
status=publish,draft sanitizes to status=publishdraft, which is an invalid status, so WP_Query doesn’t add a WHERE for post_status

And sounds like separate ticket may be opened to discuss queries with multiple status values.

#2 @joehoyle
6 months ago

  • Owner set to joehoyle
  • Resolution set to fixed
  • Status changed from new to closed

In 38911:

REST API: Validate posts status enum

Currently we are using a different validate callback, so the enum is not interpretted. We just have to fallback to the result of rest_validate_request_arg in our custom wrapper function.

Fixes #38417.

@jeremyfelt
6 months ago

#3 @jeremyfelt
6 months ago

  • Resolution fixed deleted
  • Status changed from closed to reopened

Previously, if an invalid post status was assigned to a media object, the object would be returned with an unchanged status. Now, an error response is returned.

The assertion in test_get_items_invalid_status_param_is_discarded() needs to be updated to account for the expected error response.

38417.diff makes this change.

This ticket was mentioned in Slack in #core by jeremyfelt. View the logs.


6 months ago

#5 @jeremyfelt
6 months ago

  • Resolution set to fixed
  • Status changed from reopened to closed

In 38917:

REST API: Adjust test_get_items_invalid_status_param_is_discarded() after [38911].

Previously, if an invalid post status was assigned to a media object, the object would be returned with an unchanged status. After [38911], an error response is returned.

The assertion in test_get_items_invalid_status_param_is_discarded() needs to be updated to account for the expected error response. The test name has been changed to test_get_items_invalid_status_param_is_error_response().

Fixes #38417.

Note: See TracTickets for help on using tickets.