REST API: Exit gracefully for malformed URLs.

Exit gracefully for requests with a malformed `rest_route` query string parameter, ie anything that is not a string. This prevents fatal errors from occurring with URLs such as `example.com/?rest_route[]=array` as the URL is user input so logging the data provides no benefit to developers as they are unable to resolve the issue. Props geekofshire, dd32, timothyblynjacobs. Fixes #62932. git-svn-id: https://develop.svn.wordpress.org/trunk@59886 602fd350-edb4-49c9-b593-d223f7449a82
WordPress · Feb 27, 2025 · e7ce9bb · e7ce9bb
1 parent 83b9080
commit e7ce9bb
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 0 deletions.
diff --git a/src/wp-includes/rest-api.php b/src/wp-includes/rest-api.php
@@ -430,6 +430,16 @@ function rest_api_loaded() {
 		return;
 	}
 
+	// Return an error message if query_var is not a string.
+	if ( ! is_string( $GLOBALS['wp']->query_vars['rest_route'] ) ) {
+		$rest_type_error = new WP_Error(
+			'rest_path_invalid_type',
+			__( 'The rest route parameter must be a string.' ),
+			array( 'status' => 400 )
+		);
+		wp_die( $rest_type_error );
+	}
+
 	/**
 	 * Whether this is a REST Request.
 	 *

diff --git a/tests/phpunit/tests/rest-api.php b/tests/phpunit/tests/rest-api.php
@@ -2558,4 +2558,29 @@ public function test_route_args_is_array_of_arrays() {
 
 		$this->assertTrue( $registered );
 	}
+
+	/**
+	 * @ticket 62932
+	 */
+	public function test_should_return_error_if_rest_route_not_string() {
+		global $wp;
+
+		$wp = new stdClass();
+
+		$wp->query_vars = array(
+			'rest_route' => array( 'invalid' ),
+		);
+
+		$this->expectException( WPDieException::class );
+
+		try {
+			rest_api_loaded();
+		} catch ( WPDieException $e ) {
+			$this->assertStringContainsString(
+				'The rest route parameter must be a string.',
+				$e->getMessage()
+			);
+			throw $e; // Re-throw to satisfy expectException
+		}
+	}
 }