[wp-trac] [WordPress Trac] #62932: Fatal error in rest api with invalid inputs
WordPress Trac
noreply at wordpress.org
Mon Feb 10 01:50:53 UTC 2025
#62932: Fatal error in rest api with invalid inputs
--------------------------+-----------------------------
Reporter: dd32 | Owner: (none)
Type: defect (bug) | Status: new
Priority: low | Milestone: Awaiting Review
Component: REST API | Version:
Severity: trivial | Keywords: php8
Focuses: rest-api |
--------------------------+-----------------------------
A request similar to the following causes a PHP fatal error under PHP8:
`https://example.org/?rest_route[pen]=tester`
This causes irrelevant error log noise for sites which attempt to process
the request as a rest-api request.
This can be duplicated via playground:
https://playground.wordpress.net/?php=8.1&url=%3Frest_route%5Bpen%5D%3Dtester
{{{
PHP Fatal error: Uncaught TypeError: rtrim(): Argument #1 ($string) must
be of type string, array given in /wordpress/wp-includes/formatting.php:2
Stack trace:
#0 /wordpress/wp-includes/formatting.php(2): rtrim(Array, '/\\')
#1 /wordpress/wp-includes/rest-api.php(2): untrailingslashit(Array)
#2 /wordpress/wp-includes/class-wp-hook.php(3):
rest_api_loaded(Object(WP))
#3 /wordpress/wp-includes/class-wp-hook.php(3): WP_Hook->apply_filters('',
Array)
#4 /wordpress/wp-includes/plugin.php(2): WP_Hook->do_action(Array)
#5 /wordpress/wp-includes/class-wp.php(3):
do_action_ref_array('parse_request', Array)
#6 /wordpress/wp-includes/class-wp.php(3): WP->parse_request('')
#7 /wordpress/wp-includes/functions.php(2): WP->main('')
#8 /wordpress/wp-blog-header.php(2): wp()
#9 /wordpress/index.php(2): require('/wordpress/wp-b...')
#10 {main}
thrown in /wordpress/wp-includes/formatting.php on line 2
}}}
A minimal patch is simply to check for stringyness:
{{{#!diff
Index: wp-includes/rest-api.php
===================================================================
--- src/wp-includes/rest-api.php (revision 59793)
+++ src/wp-includes/rest-api.php (working copy)
@@ -426,7 +426,7 @@
* @global WP $wp Current WordPress environment instance.
*/
function rest_api_loaded() {
- if ( empty( $GLOBALS['wp']->query_vars['rest_route'] ) ) {
+ if ( empty( $GLOBALS['wp']->query_vars['rest_route'] ) || !
is_string( $GLOBALS['wp']->query_vars['rest_route'] ) ) {
return;
}
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/62932>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list