Skip to:
Content

BuddyPress.org

Opened 3 years ago

Closed 3 years ago

#8601 closed defect (bug) (fixed)

PHP Notice in BP_Core_oEmbed_Extension::oembed_xml_request()

Reported by: dd32's profile dd32 Owned by: imath's profile imath
Milestone: 9.2.0 Priority: normal
Severity: normal Version:
Component: Core Keywords: has-patch
Cc:

Description

https://github.com/buddypress/buddypress/blob/master/src/bp-core/classes/class-bp-core-oembed-extension.php#L483-L489

The BuddyPress oEmbed api endpoint doesn't validate that a valid url is passed in before processing.

For example:

E_NOTICE: Undefined index: url in wp-content/plugins/buddypress/bp-core/classes/class-bp-core-oembed-extension.php:484

Source: GET https://buddypress.org/wp-json/oembed/1.0/embed?1C87dvZNvCO&format=xml

File: wp-content/plugins/buddypress/bp-core/classes/class-bp-core-oembed-extension.php

Suggested patch:

  • bp-core/classes/class-bp-core-oembed-extension.php

    abstract class BP_Core_oEmbed_Extension 
    469469         * @param WP_HTTP_ResponseInterface $result  Result to send to the client. Usually a WP_REST_Response.
    470470         * @param WP_REST_Request           $request Request used to generate the response.
    471471         * @param WP_REST_Server            $server  Server instance.
    472472         * @return bool
    473473         */
    474474        public function oembed_xml_request( $served, $result, $request, $server ) {
    475475                $params = $request->get_params();
    476476
    477477                if ( ! isset( $params['format'] ) || 'xml' !== $params['format'] ) {
    478478                        return $served;
    479479                }
    480480
    481481                // Validate URL against our oEmbed endpoint. If not valid, bail.
    482482                // This is our mod to _oembed_rest_pre_serve_request().
    483483                $query_params = $request->get_query_params();
    484                 if ( false === $this->validate_url_to_item_id( $query_params['url'] ) ) {
     484                if ( ! isset( $query_params['url'] ) || false === $this->validate_url_to_item_id( $query_params['url'] ) ) {
    485485                        return $served;
    486486                }
    487487
    488488                // Embed links inside the request.
    489489                $data = $server->response_to_data( $result, false );
    490490
    491491                if ( ! class_exists( 'SimpleXMLElement' ) ) {
    492492                        status_header( 501 );
    493493                        die( get_status_header_desc( 501 ) );
    494494                }
    495495
    496496                $result = _oembed_create_xml( $data );
    497497
    498498                // Bail if there's no XML.
    499499                if ( ! $result ) {

Change History (3)

#1 @imath
3 years ago

  • Keywords has-patch added
  • Milestone changed from Awaiting Review to 9.2.0
  • Owner set to imath
  • Status changed from new to assigned

Hi @dd32

Thanks a lot for your report & patch, I’ll commit it asap 👍

#2 @imath
3 years ago

In 13157:

Validate an url param exists before processing an oEmbed XML request

Props dd32

See #8601 (trunk)

#3 @imath
3 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 13158:

Validate an url param exists before processing an oEmbed XML request

Props dd32

Fixes #8601 (9.0 branch)

Note: See TracTickets for help on using tickets.