REST API: Exit gracefully for malformed URLs.

Exit gracefully for requests with a malformed `rest_route` query string parameter, ie anything that is not a string.

This prevents fatal errors from occurring with URLs such as `example.com/?rest_route[]=array` as the URL is user input so logging the data provides no benefit to developers as they are unable to resolve the issue.

Props geekofshire, dd32, timothyblynjacobs.
Fixes #62932.


git-svn-id: https://develop.svn.wordpress.org/trunk@59886 602fd350-edb4-49c9-b593-d223f7449a82

Author: peterwilsoncc

src/wp-includes/rest-api.php

@@ -430,6 +430,16 @@ function rest_api_loaded() {
 		return;
 	}
 
+	// Return an error message if query_var is not a string.
+	if ( ! is_string( $GLOBALS['wp']->query_vars['rest_route'] ) ) {
+		$rest_type_error = new WP_Error(
+			'rest_path_invalid_type',
+			__( 'The rest route parameter must be a string.' ),
+			array( 'status' => 400 )
+		);
+		wp_die( $rest_type_error );
+	}
+
 	/**
 	 * Whether this is a REST Request.
 	 *

tests/phpunit/tests/rest-api.php

@@ -2558,4 +2558,29 @@ public function test_route_args_is_array_of_arrays() {
 
 		$this->assertTrue( $registered );
 	}
+
+	/**
+	 * @ticket 62932
+	 */
+	public function test_should_return_error_if_rest_route_not_string() {
+		global $wp;
+
+		$wp = new stdClass();
+
+		$wp->query_vars = array(
+			'rest_route' => array( 'invalid' ),
+		);
+
+		$this->expectException( WPDieException::class );
+
+		try {
+			rest_api_loaded();
+		} catch ( WPDieException $e ) {
+			$this->assertStringContainsString(
+				'The rest route parameter must be a string.',
+				$e->getMessage()
+			);
+			throw $e; // Re-throw to satisfy expectException
+		}
+	}
 }