[wp-trac] [WordPress Trac] #37192: Validate before sanitizing when processing REST Request arguments

WordPress Trac noreply at wordpress.org
Tue Aug 2 15:16:26 UTC 2016 

#37192: Validate before sanitizing when processing REST Request arguments
---------------------------------------------+--------------------------
 Reporter:  danielbachhuber                  |       Owner:  rachelbaker
     Type:  defect (bug)                     |      Status:  closed
 Priority:  normal                           |   Milestone:  4.6
Component:  REST API                         |     Version:  4.4
 Severity:  normal                           |  Resolution:  fixed
 Keywords:  has-patch has-unit-tests commit  |     Focuses:
---------------------------------------------+--------------------------

Comment (by joehoyle):

 This slipped through the net, so only just noticed this. I wanted to note
 this was not a mistake at the time, and was a conscious decision, see my
 original proposal and PR for this here: https://github.com/WP-API/WP-
 API/pull/989

 Though the terminology can be mixed, the basic through process was:

 1. Clean (sanitize) the input data to make sure it's of the type you
 expect (primarily a security measure)
 2. Check the value (cleaned) for "validity", meaning, is the value "draft"
 valid for the post status.

 This is why it was first sanitize, then validate. Sanitize is a
 transformer to the expected data type, validate is essentially a bool
 check.

 > If you're using validation to check that an argument is of a particular
 type, the validation can fail if the sanitization callback transforms the
 type.

 In the above case, the `sanitization_callback` would have incorrectly
 transformed the type to something that "validate_callback" was not unable
 to determine if the value was invalid. A good example of this is
 `sanitize_email` as that will actually return an empty string (or false I
 think) if a string that is not an email is passed, in which case the data
 then passed to `validate_callback` is empty. In this case,
 `sanitize_email` is just a _bad actor_ , that's why we special case it
 `rest_sanitize_request_arg` here: https://github.com/WP-API/WP-
 API/blob/8edf3fc7454ea7e774f4b7e290efdc51b0feac63/plugin.php#L395

--
Ticket URL: <https://core.trac.wordpress.org/ticket/37192#comment:9>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list