REST API: Exit gracefully for malformed URLs.

Exit gracefully for requests with a malformed `rest_route` query string parameter, ie anything that is not a string. This prevents fatal errors from occurring with URLs such as `example.com/?rest_route[]=array` as the URL is user input so logging the data provides no benefit to developers as they are unable to resolve the issue. Props geekofshire, dd32, timothyblynjacobs. Fixes #62932. git-svn-id: https://develop.svn.wordpress.org/trunk@59886 602fd350-edb4-49c9-b593-d223f7449a82
2025-03-24 22:10:02 +01:00 · 2025-02-27 23:17:38 +00:00 · 2025-02-27 23:17:38 +00:00 · e7ce9bbfbf
commit e7ce9bbfbf
parent 83b90808e9
2 changed files with 35 additions and 0 deletions
--- a/src/wp-includes/rest-api.php
+++ b/src/wp-includes/rest-api.php
@ -430,6 +430,16 @@ function rest_api_loaded() {
 		return;
 	}

+	// Return an error message if query_var is not a string.
+	if ( ! is_string( $GLOBALS['wp']->query_vars['rest_route'] ) ) {
+		$rest_type_error = new WP_Error(
+			'rest_path_invalid_type',
+			__( 'The rest route parameter must be a string.' ),
+			array( 'status' => 400 )
+		);
+		wp_die( $rest_type_error );
+	}
+
 	/**
 	 * Whether this is a REST Request.
 	 *
--- a/tests/phpunit/tests/rest-api.php
+++ b/tests/phpunit/tests/rest-api.php
@ -2558,4 +2558,29 @@ class Tests_REST_API extends WP_UnitTestCase {

 		$this->assertTrue( $registered );
 	}
+
+	/**
+	 * @ticket 62932
+	 */
+	public function test_should_return_error_if_rest_route_not_string() {
+		global $wp;
+
+		$wp = new stdClass();
+
+		$wp->query_vars = array(
+			'rest_route' => array( 'invalid' ),
+		);
+
+		$this->expectException( WPDieException::class );
+
+		try {
+			rest_api_loaded();
+		} catch ( WPDieException $e ) {
+			$this->assertStringContainsString(
+				'The rest route parameter must be a string.',
+				$e->getMessage()
+			);
+			throw $e; // Re-throw to satisfy expectException
+		}
+	}
 }