1
0
mirror of https://github.com/WordPress/WordPress.git synced 2025-01-09 09:57:38 +01:00

REST API: Ensure no-cache headers are sent when methods are ovverriden.

Props tykoted, xknown, ehtis, timothyblynjacobs, peterwilsoncc, rmccue, jorbin.

Built from https://develop.svn.wordpress.org/trunk@56834


git-svn-id: http://core.svn.wordpress.org/trunk@56346 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Aaron Jorbin 2023-10-12 12:32:32 +00:00
parent 4cfb52760f
commit 3f1e6a6a50
3 changed files with 26 additions and 19 deletions

View File

@ -1090,6 +1090,7 @@ function rest_cookie_check_errors( $result ) {
$result = wp_verify_nonce( $nonce, 'wp_rest' );
if ( ! $result ) {
add_filter( 'rest_send_nocache_headers', '__return_true', 20 );
return new WP_Error( 'rest_cookie_invalid_nonce', __( 'Cookie check failed' ), array( 'status' => 403 ) );
}

View File

@ -322,24 +322,6 @@ class WP_REST_Server {
*/
$this->send_header( 'X-Content-Type-Options', 'nosniff' );
/**
* Filters whether to send nocache headers on a REST API request.
*
* @since 4.4.0
*
* @param bool $rest_send_nocache_headers Whether to send no-cache headers.
*/
$send_no_cache_headers = apply_filters( 'rest_send_nocache_headers', is_user_logged_in() );
if ( $send_no_cache_headers ) {
foreach ( wp_get_nocache_headers() as $header => $header_value ) {
if ( empty( $header_value ) ) {
$this->remove_header( $header );
} else {
$this->send_header( $header, $header_value );
}
}
}
/**
* Filters whether the REST API is enabled.
*
@ -394,10 +376,12 @@ class WP_REST_Server {
* $_GET['_method']. If that is not set, we check for the HTTP_X_HTTP_METHOD_OVERRIDE
* header.
*/
$method_overridden = false;
if ( isset( $_GET['_method'] ) ) {
$request->set_method( $_GET['_method'] );
} elseif ( isset( $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'] ) ) {
$request->set_method( $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'] );
$method_overridden = true;
}
$expose_headers = array( 'X-WP-Total', 'X-WP-TotalPages', 'Link' );
@ -498,6 +482,28 @@ class WP_REST_Server {
*/
$served = apply_filters( 'rest_pre_serve_request', false, $result, $request, $this );
/**
* Filters whether to send nocache headers on a REST API request.
*
* @since 4.4.0
* @since 6.3.2 Moved the block to catch the filter added on rest_cookie_check_errors() from rest-api.php
*
* @param bool $rest_send_nocache_headers Whether to send no-cache headers.
*/
$send_no_cache_headers = apply_filters( 'rest_send_nocache_headers', is_user_logged_in() );
// send no cache headers if the $send_no_cache_headers is true
// OR if the HTTP_X_HTTP_METHOD_OVERRIDE is used but resulted a 4x response code.
if ( $send_no_cache_headers || ( true === $method_overridden && strpos( $code, '4' ) === 0 ) ) {
foreach ( wp_get_nocache_headers() as $header => $header_value ) {
if ( empty( $header_value ) ) {
$this->remove_header( $header );
} else {
$this->send_header( $header, $header_value );
}
}
}
if ( ! $served ) {
if ( 'HEAD' === $request->get_method() ) {
return null;

View File

@ -16,7 +16,7 @@
*
* @global string $wp_version
*/
$wp_version = '6.4-beta3-56833';
$wp_version = '6.4-beta3-56834';
/**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.