[wp-trac] [WordPress Trac] #50075: Trigger _doing_it_wrong for dangerous REST API endpoint option
WordPress Trac
noreply at wordpress.org
Tue Jul 21 12:01:26 UTC 2020
#50075: Trigger _doing_it_wrong for dangerous REST API endpoint option
-------------------------------------------------+-------------------------
Reporter: rmccue | Owner:
| TimothyBlynJacobs
Type: defect (bug) | Status: closed
Priority: normal | Milestone: 5.5
Component: REST API | Version: 4.4
Severity: normal | Resolution: fixed
Keywords: has-patch has-unit-tests needs-dev- | Focuses:
note commit |
-------------------------------------------------+-------------------------
Changes (by TimothyBlynJacobs):
* owner: (none) => TimothyBlynJacobs
* status: new => closed
* resolution: => fixed
Comment:
In [changeset:"48526" 48526]:
{{{
#!CommitTicketReference repository="" revision="48526"
REST API: Issue a _doing_it_wrong when registering a route without a
permission callback.
The REST API treats routes without a permission_callback as public.
Because this happens without any warning to the user, if the permission
callback is unintentionally omitted or misspelled, the endpoint can end up
being available to the public. Such a scenario has happened multiple times
in the wild, and the results can be catostrophic when it occurs.
For REST API routes that are intended to be public, it is recommended to
set the permission callback to the `__return_true` built in function.
Fixes #50075.
Props rmccue, sorenbronsted, whyisjake, SergeyBiryukov, TimothyBlynJacobs.
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/50075#comment:16>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list