Changeset 14489

Timestamp:

07/24/2025 01:38:04 AM (10 months ago)

Author:

dd32

Message:

API: Trac helpers: Avoid fatals with invalid inputs.

Location:

sites/trunk/api.wordpress.org/public_html/dotorg/trac

Files:

• oembed/index.php (modified) (2 diffs)
• pr/index.php (modified) (1 diff)

sites/trunk/api.wordpress.org/public_html/dotorg/trac/oembed/index.php

@@ -25 +25 @@
 header( 'X-WP-Embed: true' );
 
-$url = wp_unslash( $_REQUEST['url'] ?? '' );
+$url = $_REQUEST['url'] ?? '';
+$url = is_string( $url ) ? wp_unslash( $url ) : '';
 
 header( 'Allow: GET' );
@@ -31 +32 @@
 
 if (
+    ! $url ||
+    'GET' !== $_SERVER['REQUEST_METHOD'] ||
     // meta|core are the only tracs embedable.
     // milestone|ticketgraph|ticket|changeset are the only endpoints allowable.
-    ! preg_match( '!^(?P<baseurl>https://(?P<trac>meta|core).trac.wordpress.org/)(?P<type>milestone|ticketgraph|ticket|changeset|query)([/?]|$)!i', $url, $m ) ||
-    'GET' !== $_SERVER['REQUEST_METHOD']
+    ! preg_match( '!^(?P<baseurl>https://(?P<trac>meta|core).trac.wordpress.org/)(?P<type>milestone|ticketgraph|ticket|changeset|query)([/?]|$)!i', $url, $m )
 ) {
     header( 'HTTP/1.1 404 Not Found', true, 404 );

sites/trunk/api.wordpress.org/public_html/dotorg/trac/pr/index.php

@@ -5 +5 @@
 require __DIR__ . '/functions.php';
 
-$trac          = preg_replace( '![^a-z]!', '', $_GET['trac'] ?? '' );
+$trac          = $_GET['trac'] ?? '';
+$trac          = is_string( $trac ) ? $trac : '';
+$trac          = preg_replace( '![^a-z]!', '', $trac );
 $ticket        = intval( $_GET['ticket'] ?? 0 );
 $author        = wp_unslash( $_GET['author'] ?? '' );
+$author        = is_string( $author ) ? $author : '';
 $authenticated = ! empty( $_GET['authenticated'] ); // Longer caches for logged out requests.