-
Notifications
You must be signed in to change notification settings - Fork 107
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Harden validation of user-submitted LCP background image URL #1713
Merged
+815
−37
Merged
Changes from 1 commit
Commits
Show all changes
29 commits
Select commit
Hold shift + click to select a range
57a35e4
Revert "Remove od_store_url_metric_validity filter to be re-added in …
westonruter 57df740
Use 'status' key instead of 'code'
westonruter 1d46d83
Merge branch 'trunk' of https://github.com/WordPress/performance into…
westonruter 9de74b3
Add clear_cache() method to OD_URL_Metric_Group
westonruter ad1d9ea
Add ability to unset an extended property on OD_URL_Metric and OD_Ele…
westonruter 8fba89a
Suppress erroneous IDE warnings
westonruter 8f2af87
Unset lcpElementExternalBackgroundImage if URL is invalid
westonruter 06f0fea
Merge branch 'trunk' of https://github.com/WordPress/performance into…
westonruter 42005e6
Improve docs and tidiness
westonruter 0d584b7
Add tests for od_url_metric_storage_validity filter
westonruter e40b3f1
Fix typo in readme
westonruter d73f8ca
Scaffold new tests for Image Prioritizer
westonruter 31fc8ac
Merge branch 'trunk' of https://github.com/WordPress/performance into…
westonruter 18553ee
Add missing access private tags
westonruter b7b1a47
Add tests for various validity conditions for external BG images
westonruter 5373233
Fix handling of invalid external BG image and add tests
westonruter bcefd69
Avoid preloading background images larger than 2MB
westonruter 6005f4a
Update readme to relate features of Image Prioritizer
westonruter 250f094
Replace validity filter with sanitization filter; unset unset()
westonruter f74f4f4
Rename filter
westonruter 6856026
Further optimize WP_Query
westonruter e1d0ac9
Improve translatability of error message
westonruter b4e693c
Update readme with links to where the performance features are implem…
westonruter 42c3de8
Merge branch 'trunk' into add/external-bg-preload-validation
westonruter d4c9f40
Eliminate od_store_url_metric_data filter in favor of reusing rest_re…
westonruter f8a00b4
Remove todo
westonruter 4a8dc16
Account for route matching being case insensitive
westonruter ba14c36
Improve function description and further trim route
westonruter 5ab7fd1
Add test case for route ending in newline
westonruter File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Loading status checks…
Improve function description and further trim route
commit ba14c364c76754e855c42bd0fa20e7318f74ede7
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
By chance I had the thought of checking whether the route was case sensitive. It wasn't. So this would have been a vulnerability. I want to double check how
$request->get_route()
gets populated to see if there could potentially be any other ways to make a request to the endpoint and yet bypass this condition here.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Indeed, I found that if you tried making a request without pretty permalinks and added
%0A
to the end of therest_route
query parameter:Then the route is parsed as
"/optimization-detective/v1/url-metrics:store\n"
and this matches here in\WP_REST_Server::match_request_to_handler()
on this line:This is because
$
matches a newline. In reality this should be using\z
instead.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added a test case to explicitly check for this: 5ab7fd1