[wp-trac] [WordPress Trac] #64798: REST API: Add dimension validation to sideload endpoint

WordPress Trac noreply at wordpress.org
Thu Mar 5 03:34:14 UTC 2026 

#64798: REST API: Add dimension validation to sideload endpoint
-----------------------------+---------------------
 Reporter:  adamsilverstein  |       Owner:  (none)
     Type:  defect (bug)     |      Status:  new
 Priority:  normal           |   Milestone:  7.0
Component:  REST API         |     Version:  trunk
 Severity:  normal           |  Resolution:
 Keywords:                   |     Focuses:
-----------------------------+---------------------
Description changed by adamsilverstein:

Old description:

> ## Summary
>
> Backport for https://github.com/WordPress/wordpress-develop/pull/11100
>
> Add image dimension validation to the `wp/v2/media/<id>/sideload` REST
> API endpoint to prevent uploading images with dimensions that don't match
> the target image size constraints.
>
> ## Description
>
> The REST API sideload endpoint (`wp/v2/media/<id>/sideload`) currently
> accepts uploaded images without validating that their dimensions are
> appropriate for the specified `image_size`. This means a client could
> sideload a 640x480 image as a `thumbnail` (which is registered as
> 150x150), producing incorrect metadata and potentially broken layouts.
>
> This ticket adds a `validate_image_dimensions()` method to
> `WP_REST_Attachments_Controller` that validates uploaded image dimensions
> before processing, with size-specific rules:
>
> ### Validation rules
>
> - **`original` size**: Uploaded dimensions must match the original
> attachment dimensions exactly.
> - **`full` and `scaled` sizes**: Only requires positive dimensions (no
> upper bound constraint).
> - **Regular registered sizes** (e.g. `thumbnail`, `medium`, `large`):
> Dimensions must not exceed the registered size maximums, with a 1px
> tolerance for rounding differences.
> - **Unknown sizes**: Returns an error for unregistered image size names.
>
> ### Implementation details
>
> - Adds private method `validate_image_dimensions( int $width, int
> $height, string $image_size, int $attachment_id )` to
> `WP_REST_Attachments_Controller`.
> - Moves the `wp_getimagesize()` call earlier in `sideload_item()` so
> dimensions are available for validation before metadata handling.
> - On validation failure, cleans up the uploaded file with
> `wp_delete_file()` before returning the error.
> - Uses `wp_get_registered_image_subsizes()` to look up size constraints
> for registered sizes.
>
> ### Error codes
>
> - `rest_upload_invalid_dimensions` — Image has zero or negative
> dimensions.
> - `rest_upload_dimension_mismatch` — Dimensions don't match expected
> constraints for the target size.
> - `rest_upload_unknown_size` — The specified `image_size` is not
> registered.
>
> All errors return HTTP 400 status.

New description:

 == Summary

 Backport for https://github.com/WordPress/wordpress-develop/pull/11100

 Add image dimension validation to the `wp/v2/media/<id>/sideload` REST API
 endpoint to prevent uploading images with dimensions that don't match the
 target image size constraints.

 == Description

 The REST API sideload endpoint (`wp/v2/media/<id>/sideload`) currently
 accepts uploaded images without validating that their dimensions are
 appropriate for the specified `image_size`. This means a client could
 sideload a 640x480 image as a `thumbnail` (which is registered as
 150x150), producing incorrect metadata and potentially broken layouts.

 This ticket adds a `validate_image_dimensions()` method to
 `WP_REST_Attachments_Controller` that validates uploaded image dimensions
 before processing, with size-specific rules:

 ===  Validation rules

 - **`original` size**: Uploaded dimensions must match the original
 attachment dimensions exactly.
 - **`full` and `scaled` sizes**: Only requires positive dimensions (no
 upper bound constraint).
 - **Regular registered sizes** (e.g. `thumbnail`, `medium`, `large`):
 Dimensions must not exceed the registered size maximums, with a 1px
 tolerance for rounding differences.
 - **Unknown sizes**: Returns an error for unregistered image size names.

 === Implementation details

 - Adds private method `validate_image_dimensions( int $width, int $height,
 string $image_size, int $attachment_id )` to
 `WP_REST_Attachments_Controller`.
 - Moves the `wp_getimagesize()` call earlier in `sideload_item()` so
 dimensions are available for validation before metadata handling.
 - On validation failure, cleans up the uploaded file with
 `wp_delete_file()` before returning the error.
 - Uses `wp_get_registered_image_subsizes()` to look up size constraints
 for registered sizes.

 === Error codes

 - `rest_upload_invalid_dimensions` — Image has zero or negative
 dimensions.
 - `rest_upload_dimension_mismatch` — Dimensions don't match expected
 constraints for the target size.
 - `rest_upload_unknown_size` — The specified `image_size` is not
 registered.

 All errors return HTTP 400 status.

--

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/64798#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list