From 7a15b3353a38e0751a67f7b0a200e5cf56d7e7ca Mon Sep 17 00:00:00 2001
From: davidbaumwald <davidbaumwald@git.wordpress.org>
Date: Tue, 27 Sep 2022 20:13:13 +0000
Subject: [PATCH] REST API: Ensure `args` is an array of arrays in
 `register_rest_route()`.

When calling `register_rest_route()`, the `args` parameter for a route should be an array of arrays.  However, some plugins/themes have passed an array of strings or key-value pairs which produces a PHP warning when `array_intersect_key` is used to filter the array keys based on an allowed list of schema keywords.

This change adds a check of the `args` parameter to ensure it's an array of arrays, presenting a `_doing_it_wrong` if any element of `args` is not an array and restructuring to an array of arrays.  This change also adds a unit test for the incorrect usage described above, expecting that a `_doing_it_wrong` is produced.

Props slaFFik, desrosj, apermo, AndrewNZ, aristath, poena, dovyp, timothyblynjacobs, Hinjiriyo, johnmark8080, nateallen.
Fixes #51986.
Built from https://develop.svn.wordpress.org/trunk@54339


git-svn-id: http://core.svn.wordpress.org/trunk@53898 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-includes/rest-api.php                      | 12 ++++++++++++
 wp-includes/rest-api/class-wp-rest-server.php |  5 +++++
 wp-includes/version.php                       |  2 +-
 3 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/wp-includes/rest-api.php b/wp-includes/rest-api.php
index 01a1a9a50c..47b922bcd8 100644
--- a/wp-includes/rest-api.php
+++ b/wp-includes/rest-api.php
@@ -103,6 +103,18 @@ function register_rest_route( $namespace, $route, $args = array(), $override = f
 				'5.5.0'
 			);
 		}
+
+		if ( count( array_filter( $arg_group['args'], 'is_array' ) ) !== count( $arg_group['args'] ) ) {
+			_doing_it_wrong(
+				__FUNCTION__,
+				sprintf(
+				/* translators: %s: The REST API route being registered. */
+					__( 'REST API $args should be an array of arrays. Non-array value detected for %s.' ),
+					'<code>' . $clean_namespace . '/' . trim( $route, '/' ) . '</code>'
+				),
+				'6.1.0'
+			);
+		}
 	}
 
 	$full_route = '/' . $clean_namespace . '/' . trim( $route, '/' );
diff --git a/wp-includes/rest-api/class-wp-rest-server.php b/wp-includes/rest-api/class-wp-rest-server.php
index ddb3f6c01b..6327d5a539 100644
--- a/wp-includes/rest-api/class-wp-rest-server.php
+++ b/wp-includes/rest-api/class-wp-rest-server.php
@@ -1513,6 +1513,11 @@ class WP_REST_Server {
 				$endpoint_data['args'] = array();
 
 				foreach ( $callback['args'] as $key => $opts ) {
+					if ( is_string( $opts ) ) {
+						$opts = array( $opts => 0 );
+					} elseif ( ! is_array( $opts ) ) {
+						$opts = array();
+					}
 					$arg_data             = array_intersect_key( $opts, $allowed_schema_keywords );
 					$arg_data['required'] = ! empty( $opts['required'] );
 
diff --git a/wp-includes/version.php b/wp-includes/version.php
index 1a3576cff5..74f340a574 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -16,7 +16,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '6.1-beta2-54338';
+$wp_version = '6.1-beta2-54339';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.