From da5ece4d6d76b10639eabad390af86126b7a4599 Mon Sep 17 00:00:00 2001 From: James Nylen Date: Thu, 3 Aug 2017 19:54:56 +0000 Subject: [PATCH] REST API: Exclude numeric parameters from regex parsing The list of endpoint parameters should only include explicitly named and requested parameters. Props flixos90, rmccue, jnylen0. Fixes #40704. git-svn-id: https://develop.svn.wordpress.org/trunk@41223 602fd350-edb4-49c9-b593-d223f7449a82 --- .../rest-api/class-wp-rest-server.php | 9 ++++++++- tests/phpunit/tests/rest-api/rest-server.php | 17 +++++++++++++++++ 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/src/wp-includes/rest-api/class-wp-rest-server.php b/src/wp-includes/rest-api/class-wp-rest-server.php index 548d6c17c4..c69cb4834c 100644 --- a/src/wp-includes/rest-api/class-wp-rest-server.php +++ b/src/wp-includes/rest-api/class-wp-rest-server.php @@ -824,12 +824,19 @@ class WP_REST_Server { $path = $request->get_route(); foreach ( $this->get_routes() as $route => $handlers ) { - $match = preg_match( '@^' . $route . '$@i', $path, $args ); + $match = preg_match( '@^' . $route . '$@i', $path, $matches ); if ( ! $match ) { continue; } + $args = array(); + foreach ( $matches as $param => $value ) { + if ( ! is_int( $param ) ) { + $args[ $param ] = $value; + } + } + foreach ( $handlers as $handler ) { $callback = $handler['callback']; $response = null; diff --git a/tests/phpunit/tests/rest-api/rest-server.php b/tests/phpunit/tests/rest-api/rest-server.php index 1cd9e68463..cb75f4e726 100644 --- a/tests/phpunit/tests/rest-api/rest-server.php +++ b/tests/phpunit/tests/rest-api/rest-server.php @@ -162,6 +162,23 @@ class Tests_REST_Server extends WP_Test_REST_TestCase { $this->assertEquals( 200, $response->get_status() ); } + public function test_url_params_no_numeric_keys() { + + $this->server->register_route( 'test', '/test/(?P.*)', array( + array( + 'methods' => WP_REST_Server::READABLE, + 'callback' => '__return_false', + 'args' => array( + 'data' => array(), + ), + ), + ) ); + + $request = new WP_REST_Request( 'GET', '/test/some-value' ); + $this->server->dispatch( $request ); + $this->assertEquals( array( 'data' => 'some-value' ), $request->get_params() ); + } + /** * Pass a capability which the user does not have, this should * result in a 403 error.