Make WordPress Core

Opened 22 months ago

Closed 6 months ago

Last modified 6 months ago

#44702 closed enhancement (wontfix)

Lack of validation for the REST request method

Reported by: andizer Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.4
Component: REST API Keywords: has-patch has-unit-tests close reporter-feedback
Focuses: rest-api Cc:


When registering a REST API endpoint it is possible to set a request method. Like GET, PUT, POST, etcetera. This is awesome, however there is no validation to verify if the REST method is a valid one (https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods) .

I think we should have validation for it.

Attachments (2)

44702.diff (1.9 KB) - added by andizer 21 months ago.
Proposal for a possible fix
44702-tests.diff (1.1 KB) - added by andizer 21 months ago.
Unit test for faulty situation

Download all attachments as: .zip

Change History (7)

#1 @johnbillion
22 months ago

  • Focuses rest-api added
  • Keywords needs-patch added
  • Type changed from defect (bug) to enhancement
  • Version changed from trunk to 4.4

21 months ago

Proposal for a possible fix

21 months ago

Unit test for faulty situation

#2 @andizer
21 months ago

  • Keywords has-patch has-unit-tests added; needs-patch removed

#3 @TimothyBlynJacobs
12 months ago

  • Keywords close reporter-feedback added

What would be the benefit of this validation? The REST API server doesn't enforce any semantics about the HTTP method chosen. It'll happily match to any HTTP method and pass on a request body if it exists.

I don't think people should be stopped from using a custom HTTP method if they want to. Additionally, I'm not sure we could even enforce this at this point without breaking BC.

#4 @TimothyBlynJacobs
6 months ago

  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed

Closing based on the above comment. @andizer feel free to reopen if you get a chance to provide more explanation.

#5 @andizer
6 months ago

I can live with the closing of this issue. The reason for this was that there are pre-defined http methods and if a user uses a 'wrong' / unknown method the request flow might break or just acts in another behaviour. On the other side, if someone use a wrong one he might encounter this issue and can fix it. Thanks!

Note: See TracTickets for help on using tickets.