Making WordPress.org

Changeset 10998


Ignore:
Timestamp:
05/27/2021 12:42:54 AM (4 years ago)
Author:
dd32
Message:

Translations API: Harden the API against invalid input.

This prevents PHP Warnings and hopefully will flag to users of the API when they call it incorrectly.

Location:
sites/trunk/api.wordpress.org/public_html/translations
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • sites/trunk/api.wordpress.org/public_html/translations/core/1.0/index.php

    r1833 r10998  
    88wp_cache_init();
    99
    10 $version = isset( $_REQUEST['version'] ) ? str_replace( '-src', '', $_REQUEST['version'] ) : WP_CORE_LATEST_RELEASE;
     10$version = WP_CORE_LATEST_RELEASE;
     11if ( isset( $_REQUEST['version'] ) ) {
     12    $version = $_REQUEST['version'];
     13    if ( ! is_string( $version ) || ! is_numeric( $version[0] ) ) {
     14        header( $_SERVER['SERVER_PROTOCOL'] . ' 400 Bad Request' );
     15        die( '?version= must be a valid WordPress version' );
     16    }
     17
     18    $version = str_replace( '-src', '', $version );
     19}
    1120
    1221$translations = find_all_translations_for_core( $version );
  • sites/trunk/api.wordpress.org/public_html/translations/lib.php

    r10943 r10998  
    1818    if ( $type === 'core' && null === $version ) {
    1919        $version = WP_CORE_LATEST_RELEASE;
     20    }
     21
     22    // Optimize against junk inputs.
     23    if ( ! $domain || ! is_string( $domain ) ) {
     24        return array();
     25    }
     26    if ( $version && ! is_string( $version ) ) {
     27        return array();
    2028    }
    2129
  • sites/trunk/api.wordpress.org/public_html/translations/plugins/1.0/index.php

    r811 r10998  
    88wp_cache_init();
    99
    10 $slug = isset( $_REQUEST['slug'] ) ? $_REQUEST['slug'] : '';
     10$slug    = isset( $_REQUEST['slug'] )    ? $_REQUEST['slug']    : '';
    1111$version = isset( $_REQUEST['version'] ) ? $_REQUEST['version'] : null;
     12
     13foreach ( [ 'slug', 'version' ] as $field ) {
     14    if ( $$field && ! is_string( $$field ) ) {
     15        header( $_SERVER['SERVER_PROTOCOL'] . ' 400 Bad Request' );
     16        die( "?{$field}= invalid." );
     17    }
     18}
    1219
    1320$translations = find_all_translations_for_type_and_domain( 'plugin', $slug, $version );
  • sites/trunk/api.wordpress.org/public_html/translations/themes/1.0/index.php

    r811 r10998  
    88wp_cache_init();
    99
    10 $slug = isset( $_REQUEST['slug'] ) ? $_REQUEST['slug'] : '';
     10$slug    = isset( $_REQUEST['slug'] )    ? $_REQUEST['slug']    : '';
    1111$version = isset( $_REQUEST['version'] ) ? $_REQUEST['version'] : null;
     12
     13foreach ( [ 'slug', 'version' ] as $field ) {
     14    if ( $$field && ! is_string( $$field ) ) {
     15        header( $_SERVER['SERVER_PROTOCOL'] . ' 400 Bad Request' );
     16        die( "?{$field}= invalid." );
     17    }
     18}
    1219
    1320$translations = find_all_translations_for_type_and_domain( 'theme', $slug, $version );
Note: See TracChangeset for help on using the changeset viewer.