Skip to content

Commit 8db3960

Browse files
rmccuermccue
committed
Check URIs against DB
1 parent d9cb4ad commit 8db3960

File tree

1 file changed

+43
-27
lines changed

1 file changed

+43
-27
lines changed

inc/class-client.php

Lines changed: 43 additions & 27 deletions
Original file line numberDiff line numberDiff line change
@@ -174,42 +174,58 @@ public function check_redirect_uri( $uri ) {
174174
}
175175

176176
$supplied = wp_parse_url( $uri );
177+
$all_registered = $this->get_redirect_uris();
177178

178-
// Check all components except query and fragment
179-
$parts = array( 'scheme', 'host', 'port', 'user', 'pass', 'path' );
180-
$valid = true;
181-
foreach ( $parts as $part ) {
182-
if ( isset( $registered[ $part ] ) !== isset( $supplied[ $part ] ) ) {
183-
$valid = false;
184-
break;
185-
}
179+
foreach ( $all_registered as $registered_uri ) {
180+
$registered = wp_parse_url( $registered_uri );
186181

187-
if ( ! isset( $registered[ $part ] ) ) {
182+
// Double-check registered URI is valid.
183+
if ( ! $registered ) {
188184
continue;
189185
}
190186

191-
if ( $registered[ $part ] !== $supplied[ $part ] ) {
192-
$valid = false;
187+
// Check all components except query and fragment
188+
$parts = array( 'scheme', 'host', 'port', 'user', 'pass', 'path' );
189+
$valid = true;
190+
foreach ( $parts as $part ) {
191+
if ( isset( $registered[ $part ] ) !== isset( $supplied[ $part ] ) ) {
192+
$valid = false;
193+
break;
194+
}
195+
196+
if ( ! isset( $registered[ $part ] ) ) {
197+
continue;
198+
}
199+
200+
if ( $registered[ $part ] !== $supplied[ $part ] ) {
201+
$valid = false;
202+
break;
203+
}
204+
}
205+
206+
/**
207+
* Filter whether a callback is counted as valid.
208+
*
209+
* By default, the URLs must match scheme, host, port, user, pass, and
210+
* path. Query and fragment segments are allowed to be different.
211+
*
212+
* To change this behaviour, filter this value. Note that consumers must
213+
* have a callback registered, even if you relax this restruction. It is
214+
* highly recommended not to change this behaviour, as clients will
215+
* expect the same behaviour across all WP sites.
216+
*
217+
* @param boolean $valid True if the callback URL is valid, false otherwise.
218+
* @param string $url Supplied callback URL.
219+
* @param WP_Post $consumer Consumer post; stored callback saved as `consumer` meta value.
220+
*/
221+
$valid = apply_filters( 'rest_oauth.check_callback', $valid, $uri, $this );
222+
if ( $valid ) {
223+
// Stop checking, we have a match.
193224
break;
194225
}
195226
}
196227

197-
/**
198-
* Filter whether a callback is counted as valid.
199-
*
200-
* By default, the URLs must match scheme, host, port, user, pass, and
201-
* path. Query and fragment segments are allowed to be different.
202-
*
203-
* To change this behaviour, filter this value. Note that consumers must
204-
* have a callback registered, even if you relax this restruction. It is
205-
* highly recommended not to change this behaviour, as clients will
206-
* expect the same behaviour across all WP sites.
207-
*
208-
* @param boolean $valid True if the callback URL is valid, false otherwise.
209-
* @param string $url Supplied callback URL.
210-
* @param WP_Post $consumer Consumer post; stored callback saved as `consumer` meta value.
211-
*/
212-
return apply_filters( 'rest_oauth.check_callback', $valid, $uri, $this );
228+
return $valid;
213229
}
214230

215231
/**

0 commit comments

Comments
 (0)