Make WordPress Core

Opened 18 months ago

Closed 7 weeks ago

Last modified 7 weeks ago

#44702 closed enhancement (wontfix)

Lack of validation for the REST request method

Reported by: andizer Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.4
Component: REST API Keywords: has-patch has-unit-tests close reporter-feedback
Focuses: rest-api Cc:
PR Number:


When registering a REST API endpoint it is possible to set a request method. Like GET, PUT, POST, etcetera. This is awesome, however there is no validation to verify if the REST method is a valid one (https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods) .

I think we should have validation for it.

Attachments (2)

44702.diff (1.9 KB) - added by andizer 16 months ago.
Proposal for a possible fix
44702-tests.diff (1.1 KB) - added by andizer 16 months ago.
Unit test for faulty situation

Download all attachments as: .zip

Change History (7)

#1 @johnbillion
18 months ago

  • Focuses rest-api added
  • Keywords needs-patch added
  • Type changed from defect (bug) to enhancement
  • Version changed from trunk to 4.4

16 months ago

Proposal for a possible fix

16 months ago

Unit test for faulty situation

#2 @andizer
16 months ago

  • Keywords has-patch has-unit-tests added; needs-patch removed

#3 @TimothyBlynJacobs
7 months ago

  • Keywords close reporter-feedback added

What would be the benefit of this validation? The REST API server doesn't enforce any semantics about the HTTP method chosen. It'll happily match to any HTTP method and pass on a request body if it exists.

I don't think people should be stopped from using a custom HTTP method if they want to. Additionally, I'm not sure we could even enforce this at this point without breaking BC.

#4 @TimothyBlynJacobs
7 weeks ago

  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed

Closing based on the above comment. @andizer feel free to reopen if you get a chance to provide more explanation.

#5 @andizer
7 weeks ago

I can live with the closing of this issue. The reason for this was that there are pre-defined http methods and if a user uses a 'wrong' / unknown method the request flow might break or just acts in another behaviour. On the other side, if someone use a wrong one he might encounter this issue and can fix it. Thanks!

Note: See TracTickets for help on using tickets.