Skip to content

[41604] SETTINGS REST API Fix: Validate parameters in wp/v2/settings endpoint to prevent incorrect responses #8914

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: trunk
Choose a base branch
from
Open

[41604] SETTINGS REST API Fix: Validate parameters in wp/v2/settings endpoint to prevent incorrect responses #8914

wants to merge 2 commits into from

Conversation

Vedanshmini26
Copy link

@Vedanshmini26 Vedanshmini26 commented Jun 5, 2025
edited
Loading

Trac: https://core.trac.wordpress.org/ticket/41604

Problem
The /wp/v2/settings endpoint currently accepts POST requests with empty bodies or invalid parameters and incorrectly returns the site settings instead of proper error responses.
Current behavior (incorrect):
POST /wp/v2/settings with empty body → Returns settings (should be 400)
POST /wp/v2/settings with {"invalid_param": "value"} → Returns settings (should be 400)
POST /wp/v2/settings with {"title": "New", "invalid_param": "value"} → Returns settings (should be 400)

Root Cause
The WordPress REST API args validation system only validates known parameters defined in the schema. When no settings are registered with show_in_rest => true, or when unknown parameters are provided, the validation framework doesn't reject the request, allowing the update_item() callback to execute and return settings data.

Solution
Added parameter validation in the update_item() method of WP_REST_Settings_Controller to:
Reject empty request bodies - POST/PUT/PATCH requests must contain parameters
Reject invalid parameters - Only allow parameters that correspond to registered settings
Return appropriate HTTP 400 errors with descriptive messages

Expected Behavior After Fix

  • Proper error responses:
  1. POST /wp/v2/settings with {} → 400: "Request body cannot be empty."
  2. POST /wp/v2/settings with {"invalid_param": "value"} → 400: "Invalid parameter(s) provided."
  3. POST /wp/v2/settings with {"title": "New", "invalid_param": "value"} → 400: "Invalid parameter(s) provided."
  • Valid requests still work:
  1. POST /wp/v2/settings with {"title": "New Title"} → Updates setting and returns updated settings

@github-actions GitHub Actions
Copy link

github-actions bot commented Jun 5, 2025

Hi @Vedanshmini26! 👋

Thank you for your contribution to WordPress! 💖

It looks like this is your first pull request to wordpress-develop. Here are a few things to be aware of that may help you out!

No one monitors this repository for new pull requests. Pull requests must be attached to a Trac ticket to be considered for inclusion in WordPress Core. To attach a pull request to a Trac ticket, please include the ticket's full URL in your pull request description.

Pull requests are never merged on GitHub. The WordPress codebase continues to be managed through the SVN repository that this GitHub repository mirrors. Please feel free to open pull requests to work on any contribution you are making.

More information about how GitHub pull requests can be used to contribute to WordPress can be found in the Core Handbook.

Please include automated tests. Including tests in your pull request is one way to help your patch be considered faster. To learn about WordPress' test suites, visit the Automated Testing page in the handbook.

If you have not had a chance, please review the Contribute with Code page in the WordPress Core Handbook.

The Developer Hub also documents the various coding standards that are followed:

Thank you,
The WordPress Project

@github-actions GitHub Actions
Copy link

github-actions bot commented Jun 5, 2025

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

Unlinked Accounts

The following contributors have not linked their GitHub and WordPress.org accounts: @Vedanshmini26.

Contributors, please read how to link your accounts to ensure your work is properly credited in WordPress releases.

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

@github-actions GitHub Actions
Copy link

github-actions bot commented Jun 5, 2025

Test using WordPress Playground

The changes in this pull request can previewed and tested using a WordPress Playground instance.

WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser.

Some things to be aware of

  • The Plugin and Theme Directories cannot be accessed within Playground.
  • All changes will be lost when closing a tab with a Playground instance.
  • All changes will be lost when refreshing the page.
  • A fresh instance is created each time the link below is clicked.
  • Every time this pull request is updated, a new ZIP file containing all changes is created. If changes are not reflected in the Playground instance,
    it's possible that the most recent build failed, or has not completed. Check the list of workflow runs to be sure.

For more details about these limitations and more, check out the Limitations page in the WordPress Playground documentation.

Test this pull request with WordPress Playground.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@Vedanshmini26