WordPress.org
Get WordPress

Make WordPress Core

Opened 10 months ago

Closed 10 months ago

Last modified 10 months ago

#60771 closed defect (bug) (fixed)

PHP 8 Fatal error in WP_REST_Search_Controller

Reported by: dd32's profile dd32 Owned by: swissspidy's profile swissspidy
Milestone: 6.6 Priority: normal
Severity: normal Version: 5.0
Component: REST API Keywords: php8 has-patch has-unit-tests commit
Focuses: rest-api Cc:

Description

WP_REST_Search_Controller does not properly sanitize the type parameter before using it, leading to a PHP Warning / PHP Fatal error:

PHP 7.4 E_WARNING: Illegal offset type in isset or empty in wp-includes/rest-api/endpoints/class-wp-rest-search-controller.php:398

PHP 8.1 Fatal error:  Uncaught TypeError: Illegal offset type in isset or empty in wp-includes/rest-api/endpoints/class-wp-rest-search-controller.php:398

This happens with a rest-api request such as this:

/wp/v2/search?subtype=page&type[]=post

The schema correctly requires it to be a string, and under PHP 7.4 an incorrect schema error will be thrown.

The issue is that the warning occurs within the sanitize handler:

#0 wp-includes/rest-api/endpoints/class-wp-rest-search-controller.php(379): WP_REST_Search_Controller->get_search_handler(Object(WP_REST_Request))
#1 wp-includes/rest-api/class-wp-rest-request.php(833): WP_REST_Search_Controller->sanitize_subtypes(Array, Object(WP_REST_Request), 'subtype')
#2 wp-includes/rest-api/class-wp-rest-server.php(1056): WP_REST_Request->sanitize_params()
#3 wp-includes/rest-api/class-wp-rest-server.php(439): WP_REST_Server->dispatch(Object(WP_REST_Request))
#4 wp-includes/rest-api.php(428): WP_REST_Server->serve_request('/wp/v2/search')

Basically; causing WP_REST_Search_Controller::get_search_handler() to run with type as an array, even though it's not acceptable according to the schema.

Change History (6)

#1 @swissspidy
10 months ago

  • Keywords has-patch added
  • Milestone changed from Awaiting Review to 6.6

This ticket was mentioned in PR #6270 on WordPress/wordpress-develop by @swissspidy.
10 months ago #2

  • Keywords has-unit-tests added

In WP_REST_Search_Controller, avoid a PHP error when the type parameter is not a string as expected.

Trac ticket: https://core.trac.wordpress.org/ticket/60771

#3 @swissspidy
10 months ago

  • Keywords commit added

@dd32 commented on PR #6270:
10 months ago #4

@TimothyBJacobs I agree; It would be nice if $request->get_param() didn't return the data if it was not matching the schema perhaps?
I guess it would depend upon the order of operations though - sanitizing/validating subtype before type got checked could still potentially end up in the same situation.

This PR as-is though, seems like the most obvious and straight forward change.

#5 @swissspidy
10 months ago

  • Owner set to swissspidy
  • Resolution set to fixed
  • Status changed from new to closed

In 57839:

REST API: Prevent error when passing invalid type parameter to search endpoint.

In WP_REST_Search_Controller, the type parameter is accessed via the sanitization callback for the subtype parameter, which is too early for type itself to be already sanitized. This change adds a type check in the get_search_handler() method to prevent errors when the type doesn’t match.

Props swissspidy, timothyblynjacobs, dd32.
Fixes #60771.

Note: See TracTickets for help on using tickets.