Make WordPress Core

Opened 5 months ago

Last modified 3 months ago

#61061 new defect (bug)

PHP Warning with invalid JSON input

Reported by: dd32's profile dd32 Owned by:
Milestone: Awaiting Review Priority: low
Severity: normal Version:
Component: REST API Keywords: has-patch
Focuses: rest-api Cc:

Description

A request such as the following will generate a PHP Warning:

curl https://example.org/wp-json/wp/v2/users/1 --data '"+response.write(document.domain)+"' -H 'Content-Type: application/json'

The warning:

E_WARNING: Invalid argument supplied for foreach() in wp-includes/rest-api/class-wp-rest-request.php:816

The relevant part of the backtrace:

[24-Apr-2024 04:11:35 UTC] PHP  10. WP_REST_Server->serve_request($path = '/wp/v2/users/1') wp-includes/rest-api.php:428
[24-Apr-2024 04:11:35 UTC] PHP  11. WP_REST_Server->dispatch($request = class WP_REST_Request { protected $method = 'POST'; protected $params = ['URL' => ['id' => '1'], 'GET' => [], 'POST' => [], 'FILES' => [], 'JSON' => '+response.write(document.domain)+', 'defaults' => []]; protected $headers = ['content_type' => [0 => 'application/json'] ]; protected $body = '"+response.write(document.domain)+"'; protected $route = '/wp/v2/users/1'; protected $attributes = ['methods' => ['POST' => TRUE, 'PUT' => TRUE, 'PATCH' => TRUE], 'accept_json' => FALSE, 'accept_raw' => FALSE, 'show_in_index' => TRUE,  [.......]; protected $parsed_json = TRUE; protected $parsed_body = FALSE }) wp-includes/rest-api/class-wp-rest-server.php:439
[24-Apr-2024 04:11:35 UTC] PHP  12. WP_REST_Request->sanitize_params() wp-includes/rest-api/class-wp-rest-server.php:1056

Change History (3)

#1 @dd32
5 months ago

Of course, this is actually a valid JSON input.

These are also valid, and produce the same result.

curl https://example.org/wp-json/wp/v2/users/1 --data '"foobar"' -H 'Content-Type: application/json'
curl https://example.org/wp-json/wp/v2/users/1 --data '1' -H 'Content-Type: application/json'

It seems that the expected outcome here is to simply skip sanitisation of the param, ultimately a missing field should be picked up by the schema of the API endpoint, and the endpoint may expect/handle a string/numeric input in the field.

See attached.

This ticket was mentioned in PR #6491 on WordPress/wordpress-develop by @dd32.


5 months ago
#2

  • Keywords has-patch added

#3 @antonvlasenko
3 months ago

Test Report

This report validates that the indicated patch addresses the issue.

Patch tested: https://github.com/WordPress/wordpress-develop/pull/6491

Environment

  • WordPress: 6.6-beta3-58440-src
  • PHP: 7.3.33
  • Server: Apache/2.4.57 (Unix) PHP/7.3.33
  • Database: mysqli (Server: 5.7.43 / Client: mysqlnd 5.0.12-dev)
  • Browser: Safari 17.5 (macOS)
  • Theme: Twenty Twenty-Four 1.1
  • MU-Plugins: None activated
  • Plugins:
    • JSON Basic Authentication 0.1

Actual Results

  • ✅ No error in the debug.log file after applying the patch.

Additional Notes

The curl request used for testing:

curl --user admin:password http://wordpress.test/wp-json/wp/v2/users/1 --data '1' -H 'Content-Type: application/json'

Supplemental Artifacts

Before applying the patch, the following error was recorded in the debug.log file:

[03-Jul-2024 14:32:18 UTC] PHP Warning:  Invalid argument supplied for foreach() in /src/wp-includes/rest-api/class-wp-rest-request.php on line 816
Note: See TracTickets for help on using tickets.