Make WordPress Core

Opened 8 weeks ago

Last modified 7 weeks ago

#61061 new defect (bug)

PHP Warning with invalid JSON input

Reported by: dd32's profile dd32 Owned by:
Milestone: Awaiting Review Priority: low
Severity: normal Version:
Component: REST API Keywords: has-patch
Focuses: rest-api Cc:

Description

A request such as the following will generate a PHP Warning:

curl https://example.org/wp-json/wp/v2/users/1 --data '"+response.write(document.domain)+"' -H 'Content-Type: application/json'

The warning:

E_WARNING: Invalid argument supplied for foreach() in wp-includes/rest-api/class-wp-rest-request.php:816

The relevant part of the backtrace:

[24-Apr-2024 04:11:35 UTC] PHP  10. WP_REST_Server->serve_request($path = '/wp/v2/users/1') wp-includes/rest-api.php:428
[24-Apr-2024 04:11:35 UTC] PHP  11. WP_REST_Server->dispatch($request = class WP_REST_Request { protected $method = 'POST'; protected $params = ['URL' => ['id' => '1'], 'GET' => [], 'POST' => [], 'FILES' => [], 'JSON' => '+response.write(document.domain)+', 'defaults' => []]; protected $headers = ['content_type' => [0 => 'application/json'] ]; protected $body = '"+response.write(document.domain)+"'; protected $route = '/wp/v2/users/1'; protected $attributes = ['methods' => ['POST' => TRUE, 'PUT' => TRUE, 'PATCH' => TRUE], 'accept_json' => FALSE, 'accept_raw' => FALSE, 'show_in_index' => TRUE,  [.......]; protected $parsed_json = TRUE; protected $parsed_body = FALSE }) wp-includes/rest-api/class-wp-rest-server.php:439
[24-Apr-2024 04:11:35 UTC] PHP  12. WP_REST_Request->sanitize_params() wp-includes/rest-api/class-wp-rest-server.php:1056

Change History (2)

#1 @dd32
7 weeks ago

Of course, this is actually a valid JSON input.

These are also valid, and produce the same result.

curl https://example.org/wp-json/wp/v2/users/1 --data '"foobar"' -H 'Content-Type: application/json'
curl https://example.org/wp-json/wp/v2/users/1 --data '1' -H 'Content-Type: application/json'

It seems that the expected outcome here is to simply skip sanitisation of the param, ultimately a missing field should be picked up by the schema of the API endpoint, and the endpoint may expect/handle a string/numeric input in the field.

See attached.

This ticket was mentioned in PR #6491 on WordPress/wordpress-develop by @dd32.


7 weeks ago
#2

  • Keywords has-patch added
Note: See TracTickets for help on using tickets.