WordPress.org

Make WordPress Core

Opened 2 years ago

Closed 11 months ago

Last modified 11 months ago

#44702 closed enhancement (wontfix)

Lack of validation for the REST request method

Reported by: andizer Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.4
Component: REST API Keywords: has-patch has-unit-tests close reporter-feedback
Focuses: rest-api Cc:

Description

When registering a REST API endpoint it is possible to set a request method. Like GET, PUT, POST, etcetera. This is awesome, however there is no validation to verify if the REST method is a valid one (https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods) .

I think we should have validation for it.

Attachments (2)

44702.diff (1.9 KB) - added by andizer 2 years ago.
Proposal for a possible fix
44702-tests.diff (1.1 KB) - added by andizer 2 years ago.
Unit test for faulty situation

Download all attachments as: .zip

Change History (7)

#1 @johnbillion
2 years ago

  • Focuses rest-api added
  • Keywords needs-patch added
  • Type changed from defect (bug) to enhancement
  • Version changed from trunk to 4.4

@andizer
2 years ago

Proposal for a possible fix

@andizer
2 years ago

Unit test for faulty situation

#2 @andizer
2 years ago

  • Keywords has-patch has-unit-tests added; needs-patch removed

#3 @TimothyBlynJacobs
17 months ago

  • Keywords close reporter-feedback added

What would be the benefit of this validation? The REST API server doesn't enforce any semantics about the HTTP method chosen. It'll happily match to any HTTP method and pass on a request body if it exists.

I don't think people should be stopped from using a custom HTTP method if they want to. Additionally, I'm not sure we could even enforce this at this point without breaking BC.

#4 @TimothyBlynJacobs
11 months ago

  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed

Closing based on the above comment. @andizer feel free to reopen if you get a chance to provide more explanation.

#5 @andizer
11 months ago

I can live with the closing of this issue. The reason for this was that there are pre-defined http methods and if a user uses a 'wrong' / unknown method the request flow might break or just acts in another behaviour. On the other side, if someone use a wrong one he might encounter this issue and can fix it. Thanks!

Note: See TracTickets for help on using tickets.