[wp-trac] [WordPress Trac] #64798: REST API: Add dimension validation to sideload endpoint

WordPress Trac noreply at wordpress.org
Thu Mar 5 03:33:20 UTC 2026 

#64798: REST API: Add dimension validation to sideload endpoint
-----------------------------+--------------------
 Reporter:  adamsilverstein  |      Owner:  (none)
     Type:  defect (bug)     |     Status:  new
 Priority:  normal           |  Milestone:  7.0
Component:  REST API         |    Version:  trunk
 Severity:  normal           |   Keywords:
  Focuses:                   |
-----------------------------+--------------------
 ## Summary

 Backport for https://github.com/WordPress/wordpress-develop/pull/11100

 Add image dimension validation to the `wp/v2/media/<id>/sideload` REST API
 endpoint to prevent uploading images with dimensions that don't match the
 target image size constraints.

 ## Description

 The REST API sideload endpoint (`wp/v2/media/<id>/sideload`) currently
 accepts uploaded images without validating that their dimensions are
 appropriate for the specified `image_size`. This means a client could
 sideload a 640x480 image as a `thumbnail` (which is registered as
 150x150), producing incorrect metadata and potentially broken layouts.

 This ticket adds a `validate_image_dimensions()` method to
 `WP_REST_Attachments_Controller` that validates uploaded image dimensions
 before processing, with size-specific rules:

 ### Validation rules

 - **`original` size**: Uploaded dimensions must match the original
 attachment dimensions exactly.
 - **`full` and `scaled` sizes**: Only requires positive dimensions (no
 upper bound constraint).
 - **Regular registered sizes** (e.g. `thumbnail`, `medium`, `large`):
 Dimensions must not exceed the registered size maximums, with a 1px
 tolerance for rounding differences.
 - **Unknown sizes**: Returns an error for unregistered image size names.

 ### Implementation details

 - Adds private method `validate_image_dimensions( int $width, int $height,
 string $image_size, int $attachment_id )` to
 `WP_REST_Attachments_Controller`.
 - Moves the `wp_getimagesize()` call earlier in `sideload_item()` so
 dimensions are available for validation before metadata handling.
 - On validation failure, cleans up the uploaded file with
 `wp_delete_file()` before returning the error.
 - Uses `wp_get_registered_image_subsizes()` to look up size constraints
 for registered sizes.

 ### Error codes

 - `rest_upload_invalid_dimensions` — Image has zero or negative
 dimensions.
 - `rest_upload_dimension_mismatch` — Dimensions don't match expected
 constraints for the target size.
 - `rest_upload_unknown_size` — The specified `image_size` is not
 registered.

 All errors return HTTP 400 status.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/64798>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list