REST API: Prevent attachment ID/image source mismatch when editing an image.

Fixes #50565.

git-svn-id: https://develop.svn.wordpress.org/trunk@48498 602fd350-edb4-49c9-b593-d223f7449a82

src/wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php

@@ -421,7 +421,11 @@ class WP_REST_Attachments_Controller extends WP_REST_Posts_Controller {
 		$image_file = wp_get_original_image_path( $attachment_id );
 		$image_meta = wp_get_attachment_metadata( $attachment_id );
 
-		if ( ! $image_meta || ! $image_file ) {
+		if (
+			! $image_meta ||
+			! $image_file ||
+			! wp_image_file_matches_image_meta( $request['src'], $image_meta )
+		) {
 			return new WP_Error(
 				'rest_unknown_attachment',
 				__( 'Unable to get meta information for file.' ),
@@ -1289,6 +1293,12 @@ class WP_REST_Attachments_Controller extends WP_REST_Posts_Controller {
 				'minimum'     => 0,
 				'maximum'     => 100,
 			),
+			'src'      => array(
+				'description' => __( 'URL to the edited image file.' ),
+				'type'        => 'string',
+				'format'      => 'uri',
+				'required'    => true,
+			),
 		);
 	}