[buddypress-trac] [BuddyPress Trac] #8601: PHP Notice in BP_Core_oEmbed_Extension::oembed_xml_request()

Mon Nov 29 06:08:02 UTC 2021

#8601: PHP Notice in BP_Core_oEmbed_Extension::oembed_xml_request()
--------------------------+-----------------------------
 Reporter:  dd32          |      Owner:  (none)
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Core          |    Version:
 Severity:  normal        |   Keywords:
--------------------------+-----------------------------
 https://github.com/buddypress/buddypress/blob/master/src/bp-core/classes
 /class-bp-core-oembed-extension.php#L483-L489

 The BuddyPress oEmbed api endpoint doesn't validate that a valid `url` is
 passed in before processing.

 For example:
 {{{
 E_NOTICE: Undefined index: url in wp-content/plugins/buddypress/bp-
 core/classes/class-bp-core-oembed-extension.php:484

 Source: GET https://buddypress.org/wp-
 json/oembed/1.0/embed?1C87dvZNvCO&format=xml

 File: wp-content/plugins/buddypress/bp-core/classes/class-bp-core-oembed-
 extension.php
 }}}

 Suggested patch:
 {{{
 #!diff
 Index: bp-core/classes/class-bp-core-oembed-extension.php
 ===================================================================
 --- bp-core/classes/class-bp-core-oembed-extension.php  (revision 2636604)
 +++ bp-core/classes/class-bp-core-oembed-extension.php  (working copy)
 @@ -469,31 +469,31 @@ abstract class BP_Core_oEmbed_Extension
          * @param WP_HTTP_ResponseInterface $result  Result to send to the
 client. Usually a WP_REST_Response.
          * @param WP_REST_Request           $request Request used to
 generate the response.
          * @param WP_REST_Server            $server  Server instance.
          * @return bool
          */
         public function oembed_xml_request( $served, $result, $request,
 $server ) {
                 $params = $request->get_params();

                 if ( ! isset( $params['format'] ) || 'xml' !==
 $params['format'] ) {
                         return $served;
                 }

                 // Validate URL against our oEmbed endpoint. If not valid,
 bail.
                 // This is our mod to _oembed_rest_pre_serve_request().
                 $query_params = $request->get_query_params();
 -               if ( false === $this->validate_url_to_item_id(
 $query_params['url'] ) ) {
 +               if ( ! isset( $query_params['url'] ) || false ===
 $this->validate_url_to_item_id( $query_params['url'] ) ) {
                         return $served;
                 }

                 // Embed links inside the request.
                 $data = $server->response_to_data( $result, false );

                 if ( ! class_exists( 'SimpleXMLElement' ) ) {
                         status_header( 501 );
                         die( get_status_header_desc( 501 ) );
                 }

                 $result = _oembed_create_xml( $data );

                 // Bail if there's no XML.
                 if ( ! $result ) {
 }}}

-- 
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/8601>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac