From 45c04180f89ba4d1179b3b10ee38621d5e59b6ad Mon Sep 17 00:00:00 2001 From: James Burke Date: Thu, 9 Apr 2020 18:48:41 -0500 Subject: [PATCH 1/2] Use core WP's query var allow-list --- inc/endpoints/class-components-endpoint.php | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/inc/endpoints/class-components-endpoint.php b/inc/endpoints/class-components-endpoint.php index 861b297c..b886ac3b 100644 --- a/inc/endpoints/class-components-endpoint.php +++ b/inc/endpoints/class-components-endpoint.php @@ -131,6 +131,9 @@ public function register_rest_routes() { * @return array */ public function get_route_response( $request ) { + + global $wp; + /** * Action fired on the request. * @@ -138,7 +141,12 @@ public function get_route_response( $request ) { */ do_action( 'wp_irving_components_request', $request ); - $this->params = $request->get_params(); + // Remove any request parameters that haven't been allow-listed by the + // global $wp object's $public_query_vars array. + $this->params = array_intersect_key( + $request->get_params(), + array_flip( $wp->public_query_vars ), + ); // Parse path and context. $this->parse_path( $this->params['path'] ?? '' ); @@ -442,6 +450,8 @@ public function fix_rest_url( $url ) : string { * @return array $vars Array of query vars. */ public function modify_query_vars( $vars ) { + $vars[] = 'context'; + $vars[] = 'path'; $vars[] = 'irving-path'; $vars[] = 'irving-path-params'; return $vars; From ea9daa827a74883dde019042ac353faec1b7cf55 Mon Sep 17 00:00:00 2001 From: James Burke Date: Thu, 9 Apr 2020 18:54:51 -0500 Subject: [PATCH 2/2] Address phpcs errors --- inc/endpoints/class-components-endpoint.php | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/inc/endpoints/class-components-endpoint.php b/inc/endpoints/class-components-endpoint.php index b886ac3b..4f1a468e 100644 --- a/inc/endpoints/class-components-endpoint.php +++ b/inc/endpoints/class-components-endpoint.php @@ -132,6 +132,7 @@ public function register_rest_routes() { */ public function get_route_response( $request ) { + // phpcs:ignore WordPress.WP.GlobalVariablesOverride.OverrideProhibited global $wp; /** @@ -145,7 +146,7 @@ public function get_route_response( $request ) { // global $wp object's $public_query_vars array. $this->params = array_intersect_key( $request->get_params(), - array_flip( $wp->public_query_vars ), + array_flip( $wp->public_query_vars ) ); // Parse path and context. @@ -374,7 +375,7 @@ public function build_query() { $wp_query = apply_filters( 'wp_irving_components_wp_query', $wp_query, $this->path, $this->custom_params, $this->params ); // Map to main query and set up globals. - // phpcs:ignore WordPress.WP.GlobalVariablesOverride.Prohibited + // phpcs:ignore WordPress.WP.GlobalVariablesOverride.Prohibited, WordPress.WP.GlobalVariablesOverride.OverrideProhibited $wp_the_query = $wp_query; $this->register_globals(); @@ -404,7 +405,7 @@ public function permissions_check( $request ) { * @see https://github.com/WordPress/WordPress/blob/master/wp-includes/class-wp.php#L580 */ public function register_globals() { - // phpcs:disable WordPress.WP.GlobalVariablesOverride.Prohibited + // phpcs:disable WordPress.WP.GlobalVariablesOverride.Prohibited, WordPress.WP.GlobalVariablesOverride.OverrideProhibited global $wp_the_query, $wp_query; $wp_query = $wp_the_query;