Opened 7 years ago
Closed 7 years ago
#40787 closed defect (bug) (fixed)
REST API: Attempts to output headers without confirming headers have not been sent
Reported by: | kraftbj | Owned by: | jnylen0 |
---|---|---|---|
Milestone: | 4.8 | Priority: | normal |
Severity: | normal | Version: | |
Component: | REST API | Keywords: | has-patch dev-feedback |
Focuses: | rest-api | Cc: |
Description
The rest_handle_deprecated_function
and rest_handle_deprecated_argument
functions fire header()
without confirming if headers have already been sent or not.
This can result in PHP warnings, which depending on the site's settings, will output into the REST API response, which breaks JSON.
Error: Warning: Cannot modify header information - headers already sent by (output started at /public_html//wp-includes/functions.php:3720) in /public_html/wp-includes/rest-api.php on line 492
Attachments (1)
Change History (10)
#1
@
7 years ago
- Keywords has-patch added
In 40787.diff, I opted to check for headers_sent
right before header()
instead of earlier in the file in the event that the functions are expanded to do more than only the headers in the future.
#2
@
7 years ago
- Milestone changed from Awaiting Review to 4.8
- Owner set to jnylen0
- Status changed from new to assigned
Excellent catch, this has bitten me a large number of times and I'm not sure why I didn't think to patch it. I think we should get this in 4.8.
This ticket was mentioned in Slack in #core-restapi by jnylen. View the logs.
7 years ago
#5
@
7 years ago
+1 from me, nice catch indeed. No strong opinion on wrapping each individual header()
call vs making one check earlier in the file.
#6
@
7 years ago
What scenario's would these headers be output, after the output has started in a rest context? Is it embedded responses? It's not clear how one would reproduce this other than outputting something before the rest api does.
#7
@
7 years ago
- Keywords dev-feedback added
There are various filters that run after the API sends its output. One example from WP.com used shutdown
I think. This was pretty annoying to work around.
I would actually prefer to remove these headers entirely, because I don't think we should be exposing this information about the site. They were originally introduced during the migration from WP-API v1 to v2 (ref), and they've finished serving that purpose long ago.
Marking as dev-feedback
to get a 2nd opinion on just ripping this code out.
Check if headers_sent is false before firing header