From 38b400c4d7960b679934e41a7eb55cedce23f4fa Mon Sep 17 00:00:00 2001
From: Joe Hoyle <joehoyle@git.wordpress.org>
Date: Thu, 26 Jan 2017 13:52:06 +0000
Subject: [PATCH] REST API: Return an error if the page number is out of
 bounds.

Return an error from the REST API if a page number larger than the total pages count is requested.

Props morganestes.
Fixes #39061.

git-svn-id: https://develop.svn.wordpress.org/trunk@39967 602fd350-edb4-49c9-b593-d223f7449a82
---
 .../endpoints/class-wp-rest-posts-controller.php      |  5 +++++
 .../phpunit/tests/rest-api/rest-posts-controller.php  | 11 +++++++++++
 2 files changed, 16 insertions(+)

diff --git a/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php b/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php
index c33b8d1a70..25e9c9a405 100644
--- a/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php
+++ b/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php
@@ -327,6 +327,11 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
 		}
 
 		$max_pages = ceil( $total_posts / (int) $posts_query->query_vars['posts_per_page'] );
+
+		if ( $page > $max_pages && $total_posts > 0 ) {
+			return new WP_Error( 'rest_post_invalid_page_number', __( 'The page number requested is larger than the number of pages available.' ), array( 'status' => 400 ) );
+		}
+
 		$response  = rest_ensure_response( $posts );
 
 		$response->header( 'X-WP-Total', (int) $total_posts );
diff --git a/tests/phpunit/tests/rest-api/rest-posts-controller.php b/tests/phpunit/tests/rest-api/rest-posts-controller.php
index f5f12a0625..d907c68ea8 100644
--- a/tests/phpunit/tests/rest-api/rest-posts-controller.php
+++ b/tests/phpunit/tests/rest-api/rest-posts-controller.php
@@ -827,6 +827,17 @@ class WP_Test_REST_Posts_Controller extends WP_Test_REST_Post_Type_Controller_Te
 		$this->assertErrorResponse( 'rest_invalid_param', $response, 400 );
 	}
 
+	/**
+	 * @ticket 39061
+	 */
+	public function test_get_items_invalid_max_pages() {
+		// Out of bounds
+		$request = new WP_REST_Request( 'GET', '/wp/v2/posts' );
+		$request->set_param( 'page', REST_TESTS_IMPOSSIBLY_HIGH_NUMBER );
+		$response = $this->server->dispatch( $request );
+		$this->assertErrorResponse( 'rest_post_invalid_page_number', $response, 400 );
+	}
+
 	public function test_get_items_invalid_context() {
 		$request = new WP_REST_Request( 'GET', '/wp/v2/posts' );
 		$request->set_param( 'context', 'banana' );