← Back to branch summary

~canonical-sysadmins/wordpress/4.8.1

« back to all changes in this revision

Viewing changes to wp-includes/rest-api/class-wp-rest-server.php

  • Committer: Barry Price
  • Date: 2016-08-17 04:49:28 UTC
  • mto: This revision was merged to the branch mainline in revision 22.
  • Revision ID: barry.price@canonical.com-20160817044928-viijiwb4tl8jwzmp
new upstream release 4.6

Show diffs side-by-side

added added

removed removed

Lines of Context:
wp-includes/rest-api/class-wp-rest-server.php
226
226
        public function serve_request( $path = null ) {
227
227
                $content_type = isset( $_GET['_jsonp'] ) ? 'application/javascript' : 'application/json';
228
228
                $this->send_header( 'Content-Type', $content_type . '; charset=' . get_option( 'blog_charset' ) );
 
229
                $this->send_header( 'X-Robots-Tag', 'noindex' );
 
230
 
 
231
                $api_root = get_rest_url();
 
232
                if ( ! empty( $api_root ) ) {
 
233
                        $this->send_header( 'Link', '<' . esc_url_raw( $api_root ) . '>; rel="https://api.w.org/"' );
 
234
                }
229
235
 
230
236
                /*
231
237
                 * Mitigate possible JSONP Flash attacks.
232
238
                 *
233
 
                 * http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/
 
239
                 * https://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/
234
240
                 */
235
241
                $this->send_header( 'X-Content-Type-Options', 'nosniff' );
236
242
                $this->send_header( 'Access-Control-Expose-Headers', 'X-WP-Total, X-WP-TotalPages' );
251
257
                }
252
258
 
253
259
                /**
254
 
                 * Filter whether the REST API is enabled.
 
260
                 * Filters whether the REST API is enabled.
255
261
                 *
256
262
                 * @since 4.4.0
257
263
                 *
260
266
                $enabled = apply_filters( 'rest_enabled', true );
261
267
 
262
268
                /**
263
 
                 * Filter whether jsonp is enabled.
 
269
                 * Filters whether jsonp is enabled.
264
270
                 *
265
271
                 * @since 4.4.0
266
272
                 *
280
286
                                return false;
281
287
                        }
282
288
 
283
 
                        // Check for invalid characters (only alphanumeric allowed).
284
 
                        if ( is_string( $_GET['_jsonp'] ) ) {
285
 
                                $jsonp_callback = preg_replace( '/[^\w\.]/', '', wp_unslash( $_GET['_jsonp'] ), -1, $illegal_char_count );
286
 
                                if ( 0 !== $illegal_char_count ) {
287
 
                                        $jsonp_callback = null;
288
 
                                }
289
 
                        }
290
 
                        if ( null === $jsonp_callback ) {
 
289
                        $jsonp_callback = $_GET['_jsonp'];
 
290
                        if ( ! wp_check_jsonp_callback( $jsonp_callback ) ) {
291
291
                                echo $this->json_error( 'rest_callback_invalid', __( 'The JSONP callback function is invalid.' ), 400 );
292
292
                                return false;
293
293
                        }
335
335
                }
336
336
 
337
337
                /**
338
 
                 * Filter the API response.
 
338
                 * Filters the API response.
339
339
                 *
340
340
                 * Allows modification of the response before returning.
341
341
                 *
361
361
                $this->set_status( $code );
362
362
 
363
363
                /**
364
 
                 * Filter whether the request has already been served.
 
364
                 * Filters whether the request has already been served.
365
365
                 *
366
366
                 * Allow sending the request manually - by returning true, the API result
367
367
                 * will not be sent to the client.
395
395
 
396
396
                        if ( $jsonp_callback ) {
397
397
                                // Prepend '/**/' to mitigate possible JSONP Flash attacks
398
 
                                // http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/
 
398
                                // https://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/
399
399
                                echo '/**/' . $jsonp_callback . '(' . $result . ')';
400
400
                        } else {
401
401
                                echo $result;
619
619
                );
620
620
 
621
621
                /**
622
 
                 * Filter the enveloped form of a response.
 
622
                 * Filters the enveloped form of a response.
623
623
                 *
624
624
                 * @since 4.4.0
625
625
                 *
699
699
        public function get_routes() {
700
700
 
701
701
                /**
702
 
                 * Filter the array of available endpoints.
 
702
                 * Filters the array of available endpoints.
703
703
                 *
704
704
                 * @since 4.4.0
705
705
                 *
801
801
         */
802
802
        public function dispatch( $request ) {
803
803
                /**
804
 
                 * Filter the pre-calculated result of a REST dispatch request.
 
804
                 * Filters the pre-calculated result of a REST dispatch request.
805
805
                 *
806
806
                 * Allow hijacking the request before dispatching by returning a non-empty. The returned value
807
807
                 * will be used to serve the request instead.
853
853
                                        $request->set_url_params( $args );
854
854
                                        $request->set_attributes( $handler );
855
855
 
856
 
                                        $request->sanitize_params();
857
 
 
858
856
                                        $defaults = array();
859
857
 
860
858
                                        foreach ( $handler['args'] as $arg => $options ) {
869
867
                                        if ( is_wp_error( $check_required ) ) {
870
868
                                                $response = $check_required;
871
869
                                        }
 
870
 
 
871
                                        $request->sanitize_params();
872
872
                                }
873
873
 
874
874
                                if ( ! is_wp_error( $response ) ) {
879
879
                                                if ( is_wp_error( $permission ) ) {
880
880
                                                        $response = $permission;
881
881
                                                } else if ( false === $permission || null === $permission ) {
882
 
                                                        $response = new WP_Error( 'rest_forbidden', __( "You don't have permission to do this." ), array( 'status' => 403 ) );
 
882
                                                        $response = new WP_Error( 'rest_forbidden', __( 'Sorry, you are not allowed to do that.' ), array( 'status' => 403 ) );
883
883
                                                }
884
884
                                        }
885
885
                                }
886
886
 
887
887
                                if ( ! is_wp_error( $response ) ) {
888
888
                                        /**
889
 
                                         * Filter the REST dispatch request result.
 
889
                                         * Filters the REST dispatch request result.
890
890
                                         *
891
891
                                         * Allow plugins to override dispatching the request.
892
892
                                         *
982
982
                $response->add_link( 'help', 'http://v2.wp-api.org/' );
983
983
 
984
984
                /**
985
 
                 * Filter the API root index data.
 
985
                 * Filters the API root index data.
986
986
                 *
987
987
                 * This contains the data describing the API. This includes information
988
988
                 * about supported authentication schemes, supported namespaces, routes
1025
1025
                $response->add_link( 'up', rest_url( '/' ) );
1026
1026
 
1027
1027
                /**
1028
 
                 * Filter the namespace index data.
 
1028
                 * Filters the namespace index data.
1029
1029
                 *
1030
1030
                 * This typically is just the route data for the namespace, but you can
1031
1031
                 * add any data you'd like here.
1059
1059
                        }
1060
1060
 
1061
1061
                        /**
1062
 
                         * Filter the REST endpoint data.
 
1062
                         * Filters the REST endpoint data.
1063
1063
                         *
1064
1064
                         * @since 4.4.0
1065
1065
                         *
1069
1069
                }
1070
1070
 
1071
1071
                /**
1072
 
                 * Filter the publicly-visible data for routes.
 
1072
                 * Filters the publicly-visible data for routes.
1073
1073
                 *
1074
1074
                 * This data is exposed on indexes and can be used by clients or
1075
1075
                 * developers to investigate the site and find out how to use it. It