[wp-trac] [WordPress Trac] #49991: PHP Warnings on invalid requests to wp-json/oembed/1.0/embed
WordPress Trac
noreply at wordpress.org
Fri Apr 24 03:08:12 UTC 2020
#49991: PHP Warnings on invalid requests to wp-json/oembed/1.0/embed
--------------------------+-----------------------------
Reporter: dd32 | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Embeds | Version:
Severity: normal | Keywords: has-patch
Focuses: rest-api |
--------------------------+-----------------------------
The `url` parameter can cause PHP Warnings on invalid requests. Such
requests shouldn't be made, but Vulnerability scanners have a tendancy to
fuzz the API since it's linked to from most pages/posts.
https://...../wp-json/oembed/1.0/embed?url[]=example
> PHP Warning: ltrim() expects parameter 1 to be string, array given in
wp-includes/formatting.php on line 4297
This happens as the `url` fields `sanitize_callback` is set to
`esc_url_raw` which doesn't handle invalid inputs well.
Adding a `validate_callback` to check it's a string works properly.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/49991>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list