From e7ce9bbfbf28cb2d92bccf8fedee868ecda199a1 Mon Sep 17 00:00:00 2001
From: Peter Wilson <peterwilsoncc@git.wordpress.org>
Date: Thu, 27 Feb 2025 23:17:38 +0000
Subject: [PATCH] REST API: Exit gracefully for malformed URLs.

Exit gracefully for requests with a malformed `rest_route` query string parameter, ie anything that is not a string.

This prevents fatal errors from occurring with URLs such as `example.com/?rest_route[]=array` as the URL is user input so logging the data provides no benefit to developers as they are unable to resolve the issue.

Props geekofshire, dd32, timothyblynjacobs.
Fixes #62932.


git-svn-id: https://develop.svn.wordpress.org/trunk@59886 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-includes/rest-api.php     | 10 ++++++++++
 tests/phpunit/tests/rest-api.php | 25 +++++++++++++++++++++++++
 2 files changed, 35 insertions(+)

diff --git a/src/wp-includes/rest-api.php b/src/wp-includes/rest-api.php
index c990f11ada..10b168bda6 100644
--- a/src/wp-includes/rest-api.php
+++ b/src/wp-includes/rest-api.php
@@ -430,6 +430,16 @@ function rest_api_loaded() {
 		return;
 	}
 
+	// Return an error message if query_var is not a string.
+	if ( ! is_string( $GLOBALS['wp']->query_vars['rest_route'] ) ) {
+		$rest_type_error = new WP_Error(
+			'rest_path_invalid_type',
+			__( 'The rest route parameter must be a string.' ),
+			array( 'status' => 400 )
+		);
+		wp_die( $rest_type_error );
+	}
+
 	/**
 	 * Whether this is a REST Request.
 	 *
diff --git a/tests/phpunit/tests/rest-api.php b/tests/phpunit/tests/rest-api.php
index 472e6a9b9d..72baa613a4 100644
--- a/tests/phpunit/tests/rest-api.php
+++ b/tests/phpunit/tests/rest-api.php
@@ -2558,4 +2558,29 @@ class Tests_REST_API extends WP_UnitTestCase {
 
 		$this->assertTrue( $registered );
 	}
+
+	/**
+	 * @ticket 62932
+	 */
+	public function test_should_return_error_if_rest_route_not_string() {
+		global $wp;
+
+		$wp = new stdClass();
+
+		$wp->query_vars = array(
+			'rest_route' => array( 'invalid' ),
+		);
+
+		$this->expectException( WPDieException::class );
+
+		try {
+			rest_api_loaded();
+		} catch ( WPDieException $e ) {
+			$this->assertStringContainsString(
+				'The rest route parameter must be a string.',
+				$e->getMessage()
+			);
+			throw $e; // Re-throw to satisfy expectException
+		}
+	}
 }