Opened 3 years ago
Closed 3 years ago
#8601 closed defect (bug) (fixed)
PHP Notice in BP_Core_oEmbed_Extension::oembed_xml_request()
Reported by: | dd32 | Owned by: | imath |
---|---|---|---|
Milestone: | 9.2.0 | Priority: | normal |
Severity: | normal | Version: | |
Component: | Core | Keywords: | has-patch |
Cc: |
Description
The BuddyPress oEmbed api endpoint doesn't validate that a valid url
is passed in before processing.
For example:
E_NOTICE: Undefined index: url in wp-content/plugins/buddypress/bp-core/classes/class-bp-core-oembed-extension.php:484 Source: GET https://buddypress.org/wp-json/oembed/1.0/embed?1C87dvZNvCO&format=xml File: wp-content/plugins/buddypress/bp-core/classes/class-bp-core-oembed-extension.php
Suggested patch:
-
bp-core/classes/class-bp-core-oembed-extension.php
abstract class BP_Core_oEmbed_Extension 469 469 * @param WP_HTTP_ResponseInterface $result Result to send to the client. Usually a WP_REST_Response. 470 470 * @param WP_REST_Request $request Request used to generate the response. 471 471 * @param WP_REST_Server $server Server instance. 472 472 * @return bool 473 473 */ 474 474 public function oembed_xml_request( $served, $result, $request, $server ) { 475 475 $params = $request->get_params(); 476 476 477 477 if ( ! isset( $params['format'] ) || 'xml' !== $params['format'] ) { 478 478 return $served; 479 479 } 480 480 481 481 // Validate URL against our oEmbed endpoint. If not valid, bail. 482 482 // This is our mod to _oembed_rest_pre_serve_request(). 483 483 $query_params = $request->get_query_params(); 484 if ( false === $this->validate_url_to_item_id( $query_params['url'] ) ) {484 if ( ! isset( $query_params['url'] ) || false === $this->validate_url_to_item_id( $query_params['url'] ) ) { 485 485 return $served; 486 486 } 487 487 488 488 // Embed links inside the request. 489 489 $data = $server->response_to_data( $result, false ); 490 490 491 491 if ( ! class_exists( 'SimpleXMLElement' ) ) { 492 492 status_header( 501 ); 493 493 die( get_status_header_desc( 501 ) ); 494 494 } 495 495 496 496 $result = _oembed_create_xml( $data ); 497 497 498 498 // Bail if there's no XML. 499 499 if ( ! $result ) {
Change History (3)
Note: See
TracTickets for help on using
tickets.
Hi @dd32
Thanks a lot for your report & patch, I’ll commit it asap 👍