#38984 closed defect (bug) (fixed)
REST API: Fix incorrect calls to `rest_sanitize_value_from_schema`
Reported by: | jnylen0 | Owned by: | rachelbaker |
---|---|---|---|
Milestone: | 4.7 | Priority: | normal |
Severity: | normal | Version: | 4.7 |
Component: | REST API | Keywords: | has-patch commit dev-reviewed |
Focuses: | Cc: |
Description
Two instances in WP_REST_Users_Controller
where we are passing $request
instead of $args
. This allows some minor weirdness:
POST /wp/v2/users?username=abcd&password=efgh&type=array
A user will be created with the username and password set to Array
because $request['array']
is interpreted as a type argument.
One more incorrect call in rest_sanitize_request_arg
where we are calling the function with a nonexistent third argument.
Attachments (2)
Change History (13)
#2
@
8 years ago
Yep, I wrote this code in #38739.
If we add additional schema / options here, it will presumably be for a reason that will have unit tests and will probably be addressed in the code for these check_user*
functions. Until then I prefer the clarity and explicitness of strval
- apparently it's easy to misuse these functions.
#3
follow-up:
↓ 4
@
8 years ago
@jnylen0 for the username we can't simply use any string value. There are invalid characters that need to be stripped. I *think* we would want to use the sanitize_user()
function for this.
#4
in reply to:
↑ 3
;
follow-up:
↓ 5
@
8 years ago
Replying to rachelbaker:
@jnylen0 for the username we can't simply use any string value. There are invalid characters that need to be stripped.
This is already handled (see validate_username
call in the check_username
function, and associated tests)
#5
in reply to:
↑ 4
@
8 years ago
Replying to jnylen0:
Replying to rachelbaker:
@jnylen0 for the username we can't simply use any string value. There are invalid characters that need to be stripped.
This is already handled (see
validate_username
call in thecheck_username
function, and associated tests)
Ah. I had to scroll down :). Now I remember why I don't review patches on mobile.
Why the change to strval()
from the (string)
typecasting? Is there a reason to change that? In the RC phase of a release I would prefer avoid non-bug code tweaks.
#6
@
8 years ago
Should be fine either way. I only changed it because rest_sanitize_value_from_schema
uses strval
(ref). (When this code was originally written, that conversion to string wasn't present.)
This ticket was mentioned in Slack in #core by helen. View the logs.
8 years ago
#8
@
8 years ago
- Keywords commit dev-feedback added
- Owner set to rachelbaker
- Status changed from new to assigned
+1 on 38984.2.diff which just removes the added strval()
function in check_user_password()
and check_username()
.
Still needs another permanent committer to review.
@jnylen0 looking at this, I think the intention was to use
rest_sanitize_request_arg
rather thanrest_sanitize_value_from_schema
. I think maybe it would be better to userest_sanitize_request_arg
incase these params get other schema / options in the future.