PHP Warning: parse_str() Input variables exceeded in WPCOM_JSON_API_Endpoint::input() #46996
Description
The input() method in WPCOM_JSON_API_Endpoint can trigger a PHP warning when
processing POST requests with form-urlencoded data containing more variables
than PHP's max_input_vars limit.
In class.json-api-endpoints.php, the input() method calls wp_parse_str() for
application/x-www-form-urlencoded content (when not valid JSON) and for
unrecognized content types:
case 'application/x-www-form-urlencoded':
$return = json_decode( $input, true );
if ( $return === null ) {
wp_parse_str( $input, $return ); // Warning triggered here
}
break;
default:
wp_parse_str( $input, $return ); // Also here
break; When the input contains more variables than max_input_vars, PHP emits an
E_WARNING and silently truncates the result.
One approach for dealing with this is a helper method that checks the approximate variable count before parsing. Something like:
/**
* Parse a query string safely, avoiding PHP warnings when input exceeds
max_input_vars.
*
* @param string $input The query string to parse.
* @param array $result Parsed key-value pairs are stored here.
*/
private function safe_parse_str( $input, &$result ) {
$max_input_vars = (int) ini_get( 'max_input_vars' );
if (
$max_input_vars > 0
&& substr_count( $input, '&' ) >= $max_input_vars
) {
$result = array();
return;
}
wp_parse_str( $input, $result );
} Then replace the two wp_parse_str() calls in input() with $this->safe_parse_str().
Metadata
Metadata
Assignees
Labels
No labels