[wp-trac] [WordPress Trac] #37192: Validate before sanitizing when processing REST Request arguments

WordPress Trac noreply at wordpress.org
Tue Aug 2 19:10:44 UTC 2016 

#37192: Validate before sanitizing when processing REST Request arguments
---------------------------------------------+--------------------------
 Reporter:  danielbachhuber                  |       Owner:  rachelbaker
     Type:  defect (bug)                     |      Status:  closed
 Priority:  normal                           |   Milestone:  4.6
Component:  REST API                         |     Version:  4.4
 Severity:  normal                           |  Resolution:  fixed
 Keywords:  has-patch has-unit-tests commit  |     Focuses:
---------------------------------------------+--------------------------

Comment (by ChopinBach):

 My interpretation of using `sanitize_callback()`, after starting to use
 the API, was that its intention was inline with what Joe pointed out.

 >1. Clean (sanitize) the input data to make sure it's of the type you
 expect (primarily a security measure)

 The API itself is using extremely loose validation.  If we implement this
 change, (well, it is already implemented) we will potentially need to do a
 lot more logic in the validation, as we will be relying on loose type and
 other things.

 Potentially, as Joe mentioned in slack, `<script>alert('ZOMG Hacking you
 Hard')</script>` would by default, the way the WP REST API plugin is
 currently, now be "valid" input which would need to then be "sanitized".
 In its original form, `sanitize_callback()` acted as a fault tolerant
 white list filter. But because of it being named `sanitize_callback()`, we
 will now need to move some of that logic into the validation, or provide
 more robust validation that is not fault tolerant.

 Overall, after thinking about it, this patch is probably good and
 potentially we should just slap all of the logic into validate callback,
 so there is not any semantic headaches in the future. I fail to see the
 harm of what the original implementation was; but I could definitely be
 wrong.

 Maybe to make everyone happy, we can rename things into a three pronged
 approach of filter_callback(), validate_callback(), sanitize_callback().

--
Ticket URL: <https://core.trac.wordpress.org/ticket/37192#comment:12>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list