Make WordPress Core

Opened 15 months ago

Last modified 4 months ago

#44702 new enhancement

Lack of validation for the REST request method

Reported by: andizer Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 4.4
Component: REST API Keywords: has-patch has-unit-tests close reporter-feedback
Focuses: rest-api Cc:
PR Number:


When registering a REST API endpoint it is possible to set a request method. Like GET, PUT, POST, etcetera. This is awesome, however there is no validation to verify if the REST method is a valid one (https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods) .

I think we should have validation for it.

Attachments (2)

44702.diff (1.9 KB) - added by andizer 13 months ago.
Proposal for a possible fix
44702-tests.diff (1.1 KB) - added by andizer 13 months ago.
Unit test for faulty situation

Download all attachments as: .zip

Change History (5)

#1 @johnbillion
15 months ago

  • Focuses rest-api added
  • Keywords needs-patch added
  • Type changed from defect (bug) to enhancement
  • Version changed from trunk to 4.4

13 months ago

Proposal for a possible fix

13 months ago

Unit test for faulty situation

#2 @andizer
13 months ago

  • Keywords has-patch has-unit-tests added; needs-patch removed

#3 @TimothyBlynJacobs
4 months ago

  • Keywords close reporter-feedback added

What would be the benefit of this validation? The REST API server doesn't enforce any semantics about the HTTP method chosen. It'll happily match to any HTTP method and pass on a request body if it exists.

I don't think people should be stopped from using a custom HTTP method if they want to. Additionally, I'm not sure we could even enforce this at this point without breaking BC.

Note: See TracTickets for help on using tickets.