WordPress.org
Get WordPress

Make WordPress Core

Opened 6 weeks ago

Last modified 3 weeks ago

#64798 new defect (bug)

REST API: Add dimension validation to sideload endpoint

Reported by: adamsilverstein's profile adamsilverstein Owned by:
Milestone: 7.1 Priority: normal
Severity: normal Version:
Component: REST API Keywords: has-patch
Focuses: Cc:

Description (last modified by adamsilverstein)

Summary

Backport for https://github.com/WordPress/wordpress-develop/pull/11100

Add image dimension validation to the wp/v2/media/<id>/sideload REST API endpoint to prevent uploading images with dimensions that don't match the target image size constraints.

Description

The REST API sideload endpoint (wp/v2/media/<id>/sideload) currently accepts uploaded images without validating that their dimensions are appropriate for the specified image_size. This means a client could sideload a 640x480 image as a thumbnail (which is registered as 150x150), producing incorrect metadata and potentially broken layouts.

This ticket adds a validate_image_dimensions() method to WP_REST_Attachments_Controller that validates uploaded image dimensions before processing, with size-specific rules:

Validation rules

  • original size: Uploaded dimensions must match the original attachment dimensions exactly.
  • full and scaled sizes: Only requires positive dimensions (no upper bound constraint).
  • Regular registered sizes (e.g. thumbnail, medium, large): Dimensions must not exceed the registered size maximums, with a 1px tolerance for rounding differences.
  • Unknown sizes: Returns an error for unregistered image size names.

Implementation details

  • Adds private method validate_image_dimensions( int $width, int $height, string $image_size, int $attachment_id ) to WP_REST_Attachments_Controller.
  • Moves the wp_getimagesize() call earlier in sideload_item() so dimensions are available for validation before metadata handling.
  • On validation failure, cleans up the uploaded file with wp_delete_file() before returning the error.
  • Uses wp_get_registered_image_subsizes() to look up size constraints for registered sizes.

Error codes

  • rest_upload_invalid_dimensions — Image has zero or negative dimensions.
  • rest_upload_dimension_mismatch — Dimensions don't match expected constraints for the target size.
  • rest_upload_unknown_size — The specified image_size is not registered.

All errors return HTTP 400 status.

Change History (5)

#1 @adamsilverstein
6 weeks ago

  • Description modified (diff)

This ticket was mentioned in PR #11100 on WordPress/wordpress-develop by @adamsilverstein.
6 weeks ago #2

  • Keywords has-patch added

## Summary

Builds on #11015. Adds dimension validation to the sideload endpoint.

  • Adds validate_image_dimensions() private method to WP_REST_Attachments_Controller
  • Validates uploaded image dimensions against expected size constraints in the wp/v2/media/<id>/sideload endpoint
  • Moves wp_getimagesize() call earlier in sideload_item() to validate before metadata handling

### Validation rules:

  • 'original' size: must match original attachment dimensions exactly
  • 'full' and 'scaled' sizes: requires positive dimensions only
  • Regular sizes: dimensions must not exceed registered size maximums (with 1px tolerance for rounding differences)

## Test plan

  • [x] test_sideload_item_rejects_oversized_dimensions — uploads 640x480 image as thumbnail (150x150), expects 400 with rest_upload_dimension_mismatch
  • [x] test_sideload_item_accepts_valid_dimensions — uploads 50x50 image as thumbnail, expects 200

Corresponding Gutenberg PR: https://github.com/WordPress/gutenberg/pull/74903

This ticket was mentioned in Slack in #core by audrasjb. View the logs.
3 weeks ago

#4 @joedolson
3 weeks ago

  • Milestone changed from 7.0 to 7.1

#5 @audrasjb
3 weeks ago

  • Version trunk deleted

As per today's pre-RC1 scrub, let's move this ticket to 7.1

Note: See TracTickets for help on using tickets.