Make WordPress Core

#60741 closed defect (bug) (fixed)

Remove uneeded upload override settngs in Font Face endpoint

Reported by: peterwilsoncc's profile peterwilsoncc Owned by: audrasjb's profile audrasjb
Milestone: 6.5 Priority: normal
Severity: normal Version:
Component: REST API Keywords: has-patch fixed-major dev-reviewed
Focuses: Cc:

Description

Initially the WP_REST_Font_Faces_Controller::handle_font_file_upload() method was designed to allow both the uploading of font files and requesting the server download them by passing a URL (such as Google Fonts)

This was subsequently changed to allow the upload of files only so some of the wp_handle_upload() override settings can now be restored to the default values.

This is required for hardening the endpoint so I've placed it on the 6.5 milestone.

Change History (8)

This ticket was mentioned in PR #6242 on WordPress/wordpress-develop by @peterwilsoncc.


11 months ago
#1

  • Keywords has-patch added

Remove unneeded overrides in the font face controllers upload settings.

https://core.trac.wordpress.org/ticket/60741

#2 @peterwilsoncc
11 months ago

  • Owner set to peterwilsoncc
  • Resolution set to fixed
  • Status changed from new to closed

In 57804:

REST API: Remove unnecessary upload overrides in font face controller.

This removes settings that are the default value or required for side-loading from the WP_REST_Font_Faces_Controller::handle_font_file_upload().

This is to harden the endpoint and future proof against any changes to wp_handle_upload() and related functions/security checks.

Props peterwilsoncc, dd32.
Fixes #60741.

#4 @peterwilsoncc
11 months ago

  • Keywords dev-feedback added
  • Resolution fixed deleted
  • Status changed from closed to reopened

Reopening for merge to the 6.5 branch

#5 @peterwilsoncc
11 months ago

  • Keywords fixed-major added

#6 @swissspidy
11 months ago

  • Keywords dev-reviewed added; dev-feedback removed

#7 @audrasjb
11 months ago

  • Owner changed from peterwilsoncc to audrasjb
  • Status changed from reopened to assigned

Self assigning for 6.5 backport.

#8 @audrasjb
11 months ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 57813:

REST API: Remove unnecessary upload overrides in font face controller.

This removes settings that are the default value or required for side-loading from the WP_REST_Font_Faces_Controller::handle_font_file_upload().

This is to harden the endpoint and future proof against any changes to wp_handle_upload() and related functions/security checks.

Reviewed by swissspidy, audrasjb.
Merges [57804] to the to the 6.5 branch.

Props peterwilsoncc, dd32.
Fixes #60741.

Note: See TracTickets for help on using tickets.