Bad Requests: Fix Pattern Directory URI check to match request path correctly#585
Bad Requests: Fix Pattern Directory URI check to match request path correctly#585obenland wants to merge 1 commit intoWordPress:trunkfrom
Conversation
The previous str_contains() check could match unrelated URLs that happen to contain 'wordpress.org/patterns/' in the path. Using str_starts_with() with '/patterns/' is more precise and correct for matching the request URI. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the Core Committers: Use this line as a base for the props when committing in SVN: To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook. |
There was a problem hiding this comment.
Pull request overview
Updates the Pattern Directory request detection used to block non-scalar query parameters, switching from a substring match to a stricter URI prefix check.
Changes:
- Replace
str_contains( $_SERVER['REQUEST_URI'], 'wordpress.org/patterns/' )withstr_starts_with( $_SERVER['REQUEST_URI'], '/patterns/' )for Pattern Directory detection.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| if ( ! str_starts_with( $_SERVER['REQUEST_URI'], '/patterns/' ) ) { | ||
| return; | ||
| } | ||
|
|
There was a problem hiding this comment.
str_starts_with( $_SERVER['REQUEST_URI'], '/patterns/' ) will not match requests like /patterns?curation[$in][]=all (no trailing slash before the query string) or /patterns (no trailing slash). That creates a bypass for the non-scalar query-parameter blocking this hook is meant to enforce. Consider normalizing to the path component (e.g., via parse_url(..., PHP_URL_PATH)) and checking for the /patterns prefix with an optional trailing slash, while still avoiding matches like /patterns-foo.
| if ( ! str_starts_with( $_SERVER['REQUEST_URI'], '/patterns/' ) ) { | |
| return; | |
| } | |
| $path = parse_url( $_SERVER['REQUEST_URI'] ?? '', PHP_URL_PATH ); | |
| if ( ! is_string( $path ) ) { | |
| return; | |
| } | |
| // Match /patterns and /patterns/... but not /patterns-foo. | |
| if ( $path !== '/patterns' && ! str_starts_with( $path, '/patterns/' ) ) { | |
| return; | |
| } |
Summary
str_contains( $_SERVER['REQUEST_URI'], 'wordpress.org/patterns/' )withstr_starts_with( $_SERVER['REQUEST_URI'], '/patterns/' )for a more precise URI matchREQUEST_URIis a path (e.g./patterns/...), not a full URL, so matching againstwordpress.org/patterns/was relying on a substring that wouldn't actually appear in the valueTest plan
/patterns/still have non-scalar query parameters blocked🤖 Generated with Claude Code