vhad/wordpress-develop
1
0
Fork 0
mirror of https://github.com/gosticks/wordpress-develop.git synced 2026-06-28 14:20:15 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

REST API: Don’t remove unregistered properties from objects in schema.

Browse Source 
In r41727 the ability to sanitise and validate objects from JSON schema was added, with a whitelist approach. It was decided we should pass through all non-registered properties to reflect the behaviour of the root object in register_rest_route. To prevent arbitrary extra data via setting objects, we force additionalProperties to false in the settings endpoint.

See #38583.

git-svn-id: https://develop.svn.wordpress.org/trunk@42000 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Joe Hoyle
2017-10-24 21:04:50 +00:00
parent 36f253d1d9
commit fb2e44456e
6 changed files with 118 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
src/wp-includes/rest-api.php
View File

@@ -1106,13 +1106,13 @@ function rest_validate_value_from_schema( $value, $args, $param = '' ) {
}
foreach ( $value as $property => $v ) {
if ( ! isset( $args['properties'][ $property ] ) ) {
continue;
}
$is_valid = rest_validate_value_from_schema( $v, $args['properties'][ $property ], $param . '[' . $property . ']' );
if ( is_wp_error( $is_valid ) ) {
return $is_valid;
if ( isset( $args['properties'][ $property ] ) ) {
$is_valid = rest_validate_value_from_schema( $v, $args['properties'][ $property ], $param . '[' . $property . ']' );
if ( is_wp_error( $is_valid ) ) {
return $is_valid;
}
} elseif ( isset( $args['additionalProperties'] ) && false === $args['additionalProperties'] ) {
return new WP_Error( 'rest_invalid_param', sprintf( __( '%1$s is not a valid property of Object.' ), $property ) );
}
}
}
@@ -1246,11 +1246,11 @@ function rest_sanitize_value_from_schema( $value, $args ) {
}
foreach ( $value as $property => $v ) {
if ( ! isset( $args['properties'][ $property ] ) ) {
if ( isset( $args['properties'][ $property ] ) ) {
$value[ $property ] = rest_sanitize_value_from_schema( $v, $args['properties'][ $property ] );
} elseif ( isset( $args['additionalProperties'] ) && false === $args['additionalProperties'] ) {
unset( $value[ $property ] );
continue;
}
$value[ $property ] = rest_sanitize_value_from_schema( $v, $args['properties'][ $property ] );
}
return $value;