Make WordPress Core

Opened 5 months ago

Last modified 3 months ago

#61907 new enhancement

Make oembed_invalid_url return 400 instead of 404

Reported by: leedxw's profile leedxw Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Embeds Keywords: has-patch
Focuses: Cc:

Description

In wp-includes/class-wp-oembed-controller.php the error response for an invalid url is a 404.

                        return new WP_Error( 'oembed_invalid_url', get_status_header_desc( 404 ), array( 'status' => 404 ) );

Please consider changing this to a 400.

The oembed endpoint seems to be an absolute magnet for unauthorised vulnerability checking, and from the webserver logs we can't see the difference between oembed_invalid_url and a legitimate request that also returns a 404.

Change History (2)

This ticket was mentioned in PR #7227 on WordPress/wordpress-develop by @narenin.


5 months ago
#1

  • Keywords has-patch added

#2 @kadamwhite
3 months ago

  • Component changed from REST API to Embeds

Adjusting component label -- oembed handling predates the REST API and has its own component.

Note: See TracTickets for help on using tickets.