From ac6b1d8256ff3990275351cda2f5f1995ed77411 Mon Sep 17 00:00:00 2001 From: Jb Audras Date: Tue, 12 Mar 2024 13:33:26 +0000 Subject: [PATCH] REST API: Remove unnecessary upload overrides in font face controller. This removes settings that are the default value or required for side-loading from the `WP_REST_Font_Faces_Controller::handle_font_file_upload()`. This is to harden the endpoint and future proof against any changes to `wp_handle_upload()` and related functions/security checks. Reviewed by swissspidy, audrasjb. Merges [57804] to the to the 6.5 branch. Props peterwilsoncc, dd32. Fixes #60741. git-svn-id: https://develop.svn.wordpress.org/branches/6.5@57813 602fd350-edb4-49c9-b593-d223f7449a82 --- .../endpoints/class-wp-rest-font-faces-controller.php | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/src/wp-includes/rest-api/endpoints/class-wp-rest-font-faces-controller.php b/src/wp-includes/rest-api/endpoints/class-wp-rest-font-faces-controller.php index 3b3a338b83..309fb126e1 100644 --- a/src/wp-includes/rest-api/endpoints/class-wp-rest-font-faces-controller.php +++ b/src/wp-includes/rest-api/endpoints/class-wp-rest-font-faces-controller.php @@ -874,18 +874,17 @@ class WP_REST_Font_Faces_Controller extends WP_REST_Posts_Controller { $overrides = array( 'upload_error_handler' => array( $this, 'handle_font_file_upload_error' ), - // Arbitrary string to avoid the is_uploaded_file() check applied - // when using 'wp_handle_upload'. - 'action' => 'wp_handle_font_upload', // Not testing a form submission. 'test_form' => false, - // Seems mime type for files that are not images cannot be tested. - // See wp_check_filetype_and_ext(). - 'test_type' => true, // Only allow uploading font files for this request. 'mimes' => WP_Font_Utils::get_allowed_font_mime_types(), ); + // Bypasses is_uploaded_file() when running unit tests. + if ( defined( 'DIR_TESTDATA' ) && DIR_TESTDATA ) { + $overrides['action'] = 'wp_handle_mock_upload'; + } + $uploaded_file = wp_handle_upload( $file, $overrides ); remove_filter( 'upload_dir', $set_upload_dir );