Prevent false-positive in validate_callback of REST API

Related: WP-API/docs#194 ```php 'type' => 'string', 'validate_callback' => function( $should_be_date ) { return preg_match( '/^\d{4}-\d{2}-\d{2}$/u', $should_be_date ); } ``` Above validation expects the parameter should be 'YYYY-MM-DD' format, but actually any string as "valid" because `preg_match()` returns 0(falsy value) for mismatch. So, validation priority should be `is_wp_error()` -> "is true?" -> "else, invalid." Concerns: `strpos()` return 0 for match.
fumikito · Nov 28, 2024 · 232ba59 · 232ba59
1 parent e99d839
commit 232ba59
Showing 1 changed file with 6 additions and 4 deletions.
diff --git a/src/wp-includes/rest-api/class-wp-rest-request.php b/src/wp-includes/rest-api/class-wp-rest-request.php
@@ -912,13 +912,15 @@ public function has_valid_params() {
 				/** @var bool|\WP_Error $valid_check */
 				$valid_check = call_user_func( $arg['validate_callback'], $param, $this, $key );
 
-				if ( false === $valid_check ) {
-					$invalid_params[ $key ] = __( 'Invalid parameter.' );
-				}
-
 				if ( is_wp_error( $valid_check ) ) {
 					$invalid_params[ $key ]  = implode( ' ', $valid_check->get_error_messages() );
 					$invalid_details[ $key ] = rest_convert_error_to_response( $valid_check )->get_data();
+				} elseif ( $valid_check ) {
+					// The parameter is valid.
+					continue;
+				} else {
+					// Other all falsy parameters are invalid.
+					$invalid_params[ $key ] = __( 'Invalid parameter.' );
 				}
 			}
 		}