[wp-trac] [WordPress Trac] #49991: PHP Warnings on invalid requests to wp-json/oembed/1.0/embed

WordPress Trac noreply at wordpress.org
Fri Apr 24 03:08:12 UTC 2020


#49991: PHP Warnings on invalid requests to wp-json/oembed/1.0/embed
--------------------------+-----------------------------
 Reporter:  dd32          |      Owner:  (none)
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Embeds        |    Version:
 Severity:  normal        |   Keywords:  has-patch
  Focuses:  rest-api      |
--------------------------+-----------------------------
 The `url` parameter can cause PHP Warnings on invalid requests. Such
 requests shouldn't be made, but Vulnerability scanners have a tendancy to
 fuzz the API since it's linked to from most pages/posts.

 https://...../wp-json/oembed/1.0/embed?url[]=example
 > PHP Warning:  ltrim() expects parameter 1 to be string, array given in
 wp-includes/formatting.php on line 4297

 This happens as the `url` fields `sanitize_callback` is set to
 `esc_url_raw` which doesn't handle invalid inputs well.
 Adding a `validate_callback` to check it's a string works properly.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/49991>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list