Opened 5 months ago
Last modified 3 months ago
#61061 new defect (bug)
PHP Warning with invalid JSON input
Reported by: | dd32 | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | low |
Severity: | normal | Version: | |
Component: | REST API | Keywords: | has-patch |
Focuses: | rest-api | Cc: |
Description
A request such as the following will generate a PHP Warning:
curl https://example.org/wp-json/wp/v2/users/1 --data '"+response.write(document.domain)+"' -H 'Content-Type: application/json'
The warning:
E_WARNING: Invalid argument supplied for foreach() in wp-includes/rest-api/class-wp-rest-request.php:816
The relevant part of the backtrace:
[24-Apr-2024 04:11:35 UTC] PHP 10. WP_REST_Server->serve_request($path = '/wp/v2/users/1') wp-includes/rest-api.php:428 [24-Apr-2024 04:11:35 UTC] PHP 11. WP_REST_Server->dispatch($request = class WP_REST_Request { protected $method = 'POST'; protected $params = ['URL' => ['id' => '1'], 'GET' => [], 'POST' => [], 'FILES' => [], 'JSON' => '+response.write(document.domain)+', 'defaults' => []]; protected $headers = ['content_type' => [0 => 'application/json'] ]; protected $body = '"+response.write(document.domain)+"'; protected $route = '/wp/v2/users/1'; protected $attributes = ['methods' => ['POST' => TRUE, 'PUT' => TRUE, 'PATCH' => TRUE], 'accept_json' => FALSE, 'accept_raw' => FALSE, 'show_in_index' => TRUE, [.......]; protected $parsed_json = TRUE; protected $parsed_body = FALSE }) wp-includes/rest-api/class-wp-rest-server.php:439 [24-Apr-2024 04:11:35 UTC] PHP 12. WP_REST_Request->sanitize_params() wp-includes/rest-api/class-wp-rest-server.php:1056
Change History (3)
This ticket was mentioned in PR #6491 on WordPress/wordpress-develop by @dd32.
5 months ago
#2
- Keywords has-patch added
#3
@
3 months ago
Test Report
This report validates that the indicated patch addresses the issue.
Patch tested: https://github.com/WordPress/wordpress-develop/pull/6491
Environment
- WordPress: 6.6-beta3-58440-src
- PHP: 7.3.33
- Server: Apache/2.4.57 (Unix) PHP/7.3.33
- Database: mysqli (Server: 5.7.43 / Client: mysqlnd 5.0.12-dev)
- Browser: Safari 17.5 (macOS)
- Theme: Twenty Twenty-Four 1.1
- MU-Plugins: None activated
- Plugins:
- JSON Basic Authentication 0.1
Actual Results
- ✅ No error in the
debug.log
file after applying the patch.
Additional Notes
The curl request used for testing:
curl --user admin:password http://wordpress.test/wp-json/wp/v2/users/1 --data '1' -H 'Content-Type: application/json'
Supplemental Artifacts
Before applying the patch, the following error was recorded in the debug.log
file:
[03-Jul-2024 14:32:18 UTC] PHP Warning: Invalid argument supplied for foreach() in /src/wp-includes/rest-api/class-wp-rest-request.php on line 816
Note: See
TracTickets for help on using
tickets.
Of course, this is actually a valid JSON input.
These are also valid, and produce the same result.
It seems that the expected outcome here is to simply skip sanitisation of the param, ultimately a missing field should be picked up by the schema of the API endpoint, and the endpoint may expect/handle a string/numeric input in the field.
See attached.