Skip to content

REST API: Restore is_array() check in rest_convert_error_to_response() #11307

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
nate-allen wants to merge 6 commits into from
+36 −2
Closed

REST API: Restore is_array() check in rest_convert_error_to_response() #11307

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
ad51bbf
REST API: Restore `is_array()` check in `rest_convert_error_to_respon…
nate-allen Mar 19, 2026
e060139
Revert to original isset() ternary instead of null coalescing with is…
nate-allen Mar 19, 2026
d88933d
Add inline comment explaining the is_array() check.
nate-allen Mar 19, 2026
6398886
Add is_numeric() check and int cast for error status in rest_convert_…
nate-allen Mar 24, 2026
1692243
Merge branch 'trunk' into fix/rest-convert-error-stdclass
westonruter Mar 24, 2026
ea57364
Use phpdoc for type def, add type hints, and add test with multiple s…
westonruter Mar 24, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion src/wp-includes/rest-api.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3428,7 +3428,7 @@ function rest_convert_error_to_response( $error ) {
$status = array_reduce(
$error->get_all_error_data(),
static function ( $status, $error_data ) {
return $error_data['status'] ?? $status;
return is_array( $error_data ) && isset( $error_data['status'] ) ? $error_data['status'] : $status;
Copy link
Member

@westonruter westonruter Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is an opportunity to further harden this, however. Namely, there is no guarantee that $error_data['status'] is an integer. If it is something else, then the $status will get passed to new WP_REST_Response( $data, $status ) which will then get passed into \WP_HTTP_Response::set_status() and ultmately passed here:

wordpress-develop/src/wp-includes/class-wp-http-response.php

Lines 115 to 117 in bd3f983

public function set_status( $code ) {
$this->status = absint( $code );
}

Passing a non-numeric value to absint() results in a value of 1 being set as the status. This is not a fatal error, but it is wrong. Therefore, this would be even safer:

Suggested change
return is_array( $error_data ) && isset( $error_data['status'] ) ? $error_data['status'] : $status;
if ( is_array( $error_data ) && isset( $error_data['status'] ) && is_numeric( $error_data['status'] ) ) {
$status = (int) $error_data['status'];
}
return $status;

Copy link
Author

@nate-allen nate-allen Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Great suggestion. I've added the is_numeric() check and (int) cast, along with a test for non-numeric status values.

Copy link
Member

@westonruter westonruter Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nate-allen Great! I also followed up with ea57364 to add explicit types, to use phpdoc instead of the inline comment, and I updated the test to account for the possibility that there could be more than one data item added that has status. Please take a look.

Copy link
Author

@nate-allen nate-allen Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great! The type hints and expanded multi-status test are nice additions

},
500
);
Expand Down
13 changes: 13 additions & 0 deletions tests/phpunit/tests/rest-api/rest-server.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -592,6 +592,19 @@ public function test_error_to_response_with_additional_data() {
$this->assertSame( array( array( 'status' => 400 ) ), $response->get_data()['additional_data'] );
}

/**
* @ticket 64901
*/
public function test_error_to_response_with_stdclass_data() {
$error = new WP_Error( 'test', 'test', (object) array( 'status' => 400 ) );

$response = rest_convert_error_to_response( $error );
$this->assertInstanceOf( 'WP_REST_Response', $response );

// stdClass data should not cause a fatal, status should default to 500.
$this->assertSame( 500, $response->get_status() );
}

public function test_rest_error() {
$data = array(
'code' => 'wp-api-test-error',
Expand Down
Loading