Make WordPress Core

Opened 6 weeks ago

Last modified 5 weeks ago

#61842 new defect (bug)

Uncaught TypeError in /wp-json/wp/v2/menu-items REST API POST operation

Reported by: mlf20's profile mlf20 Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 6.2.2
Component: REST API Keywords: has-patch has-unit-tests reporter-feedback
Focuses: rest-api Cc:

Description

Upon creating a fresh instance of WordPress and setting up the REST API a malformed post request REST API endpoint /wp-json/wp/v2/menu-items results in an exception in the endpoint.

Arises from an array being given in request when a string is expected. Would expect a 400 Bad Request for any unexpected types.

Command to reproduce

curl -X POST "http://[WORDPRESSDOMAIN]/wp-json/wp/v2/menu-items" -d '{"title":"fuzzstring","type":"fuzzstring","status":"fuzzstring","parent":0,"attr_title":"fuzzstring","classes":fuzzstring?,"description":"fuzzstring","menu_order":0,"object":"fuzzstring","object_id":0,"target":"fuzzstring","url":{ "fuzz" : false },"xfn":fuzzstring?,"menus":0}' -H 'Content-Type: application/json'

Stacktrace

<b>Fatal error</b>:  Uncaught TypeError: ltrim(): Argument #1 ($string) must be of type string, array given in /var/www/html/wp-includes/formatting.php:4415
Stack trace:
#0 /var/www/html/wp-includes/formatting.php(4415): ltrim(Array)
#1 /var/www/html/wp-includes/formatting.php(4540): esc_url(Array, NULL, 'db')
#2 /var/www/html/wp-includes/rest-api/endpoints/class-wp-rest-menu-items-controller.php(856): sanitize_url(Array)
#3 /var/www/html/wp-includes/rest-api/class-wp-rest-request.php(911): WP_REST_Menu_Items_Controller::{closure}(Array, Object(WP_REST_Request), 'url')
#4 /var/www/html/wp-includes/rest-api/class-wp-rest-server.php(1018): WP_REST_Request-&gt;has_valid_params()
#5 /var/www/html/wp-includes/rest-api/class-wp-rest-server.php(443): WP_REST_Server-&gt;dispatch(Object(WP_REST_Request))
#6 /var/www/html/wp-includes/rest-api.php(410): WP_REST_Server-&gt;serve_request('/wp/v2/menu-ite...')
#7 /var/www/html/wp-includes/class-wp-hook.php(308): rest_api_loaded(Object(WP))
#8 /var/www/html/wp-includes/class-wp-hook.php(332): WP_Hook-&gt;apply_filters('', Array)
#9 /var/www/html/wp-includes/plugin.php(565): WP_Hook-&gt;do_action(Array)
#10 /var/www/html/wp-includes/class-wp.php(399): do_action_ref_array('parse_request', Array)
#11 /var/www/html/wp-includes/class-wp.php(780): WP-&gt;parse_request('')
#12 /var/www/html/wp-includes/functions.php(1334): WP-&gt;main('')
#13 /var/www/html/wp-blog-header.php(16): wp()
#14 /var/www/html/index.php(17): require('/var/www/html/w...')
#15 {main}
  thrown in <b>/var/www/html/wp-includes/formatting.php</b> on line <b>4415</b><br />

Change History (2)

This ticket was mentioned in PR #7173 on WordPress/wordpress-develop by @mi5t4n.


6 weeks ago
#1

  • Keywords has-patch has-unit-tests added

#2 @antonvlasenko
5 weeks ago

  • Keywords reporter-feedback added

Reproduction Report

Environment

  • WordPress: 6.7-alpha-58576-src
  • PHP: 7.3.33
  • Server: Apache/2.4.57 (Unix) PHP/7.3.33
  • Database: mysqli (Server: 5.7.43 / Client: mysqlnd 5.0.12-dev)
  • Browser: Safari 17.6 (macOS)
  • Theme: Twenty Twenty-Four 1.2
  • MU-Plugins: None activated
  • Plugins:
    • JSON Basic Authentication 0.1

Actual Results

  • ❌ Issue cannot be reproduced.

Additional Notes

I get proper HTTP 400 response code and no fatal errors/warnings in debug.log.

Supplemental Artifacts

https://cldup.com/73Z_wKpHCS.png

Note: See TracTickets for help on using tickets.