[wp-trac] [WordPress Trac] #62604: Prevent false-positive in validate_callback() in REST API
WordPress Trac
noreply at wordpress.org
Fri Nov 29 01:22:53 UTC 2024
#62604: Prevent false-positive in validate_callback() in REST API
------------------------------+------------------------------
Reporter: Takahashi_Fumiki | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: REST API | Version: trunk
Severity: normal | Resolution:
Keywords: has-patch | Focuses:
------------------------------+------------------------------
Description changed by dd32:
Old description:
> Related: https://github.com/WP-API/docs/issues/194
>
> ```php
> 'type' => 'string',
> 'validate_callback' => function( $should_be_date ) {
> return preg_match( '/^\d{4}-\d{2}-\d{2}$/u', $should_be_date );
> }
> ```
>
> Above validation expects the parameter should be 'YYYY-MM-DD' format, but
> actually any string as "valid" because `preg_match()` returns 0(falsy
> value) for mismatch.
>
> So, validation priority should be `is_wp_error()` -> "is true?" -> "else,
> invalid."
>
> Concerns:
>
> `strpos()` return 0 for match.
New description:
Related: https://github.com/WP-API/docs/issues/194
{{{#!php
'type' => 'string',
'validate_callback' => function( $should_be_date ) {
return preg_match( '/^\d{4}-\d{2}-\d{2}$/u', $should_be_date );
}
}}}
Above validation expects the parameter should be 'YYYY-MM-DD' format, but
actually any string as "valid" because `preg_match()` returns 0(falsy
value) for mismatch.
So, validation priority should be `is_wp_error()` -> "is true?" -> "else,
invalid."
Concerns:
`strpos()` return 0 for match.
--
--
Ticket URL: <https://core.trac.wordpress.org/ticket/62604#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list