Skip to content

Backport: Improve validation and permission checks for WP_HTTP_Polling_Sync_Server#76987

Merged
peterwilsoncc merged 2 commits intotrunkfrom
fix/backport-wp-develop-11296
Apr 2, 2026
Merged

Backport: Improve validation and permission checks for WP_HTTP_Polling_Sync_Server#76987
peterwilsoncc merged 2 commits intotrunkfrom
fix/backport-wp-develop-11296

Conversation

@chriszarate
Copy link
Copy Markdown
Contributor

@chriszarate chriszarate commented Apr 2, 2026

What?

Hardens WP_HTTP_Polling_Sync_Server endpoints with additional validation and permission checks.

Why?

Backport of WordPress/wordpress-develop#11296

How?

  • Add MAX_BODY_SIZE, MAX_ROOMS_PER_REQUEST, MAX_UPDATE_DATA_SIZE constants
  • Add maxLength constraint for update data strings
  • Add maxItems constraint for rooms per request
  • Add route-level validate_callback for request body size
  • Improve can_user_sync_entity_type() to use ctype_digit() for object ID validation, verify post type matches, validate taxonomy terms exist in the correct taxonomy, and reject zero/negative object IDs
  • Add comprehensive test coverage for new validation and permission checks

@chriszarate @claude
Backport: Improve validation and permission checks for WP_HTTP_Pollin…
809e2bf 
…g_Sync_Server

Backport of WordPress/wordpress-develop#11296.

Hardens WP_HTTP_Polling_Sync_Server endpoints with additional validation
and permission checks:

- Add MAX_BODY_SIZE, MAX_ROOMS_PER_REQUEST, MAX_UPDATE_DATA_SIZE constants
- Add maxLength constraint for update data strings
- Add maxItems constraint for rooms per request
- Add route-level validate_callback for request body size
- Improve can_user_sync_entity_type() to use ctype_digit() for object ID
  validation, verify post type matches, validate taxonomy terms exist in
  the correct taxonomy, and reject zero/negative object IDs
- Add comprehensive test coverage for new validation and permission checks

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@chriszarate chriszarate added [Type] Task Issues or PRs that have been broken down into an individual action to take [Feature] Real-time Collaboration Phase 3 of the Gutenberg roadmap around real-time collaboration Backport to WP 7.0 Beta/RC Pull request that needs to be backported to the WordPress major release that's currently in beta labels Apr 2, 2026
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 2, 2026
edited
Loading

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message.

Co-authored-by: chriszarate <czarate@git.wordpress.org>
Co-authored-by: peterwilsoncc <peterwilsoncc@git.wordpress.org>

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 2, 2026

Flaky tests detected in 521da9e.
Some tests passed with failed attempts. The failures may not be related to this commit but are still reported for visibility. See the documentation for more information.

🔍 Workflow run URL: https://github.com/WordPress/gutenberg/actions/runs/23879753130
📝 Reported issues:

peterwilsoncc
peterwilsoncc approved these changes Apr 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@peterwilsoncc peterwilsoncc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Chris, this matches the changes in the WordPress-Develop repo.

@peterwilsoncc peterwilsoncc merged commit 1be2ef2 into trunk Apr 2, 2026
41 checks passed
@peterwilsoncc peterwilsoncc deleted the fix/backport-wp-develop-11296 branch April 2, 2026 03:00
@github-actions github-actions bot mentioned this pull request Apr 2, 2026
Open
@github-actions github-actions bot added this to the Gutenberg 23.0 milestone Apr 2, 2026
@github-actions github-actions bot removed the Backport to WP 7.0 Beta/RC Pull request that needs to be backported to the WordPress major release that's currently in beta label Apr 2, 2026
gutenbergplugin pushed a commit that referenced this pull request Apr 2, 2026
@chriszarate @peterwilsoncc @gutenbergplugin
Backport: Improve validation and permission checks for `WP_HTTP_Polli…
cd91928 
…ng_Sync_Server` (#76987)

* Backport: Improve validation and permission checks for WP_HTTP_Polling_Sync_Server

Backport of WordPress/wordpress-develop#11296.

Hardens WP_HTTP_Polling_Sync_Server endpoints with additional validation
and permission checks:

- Add MAX_BODY_SIZE, MAX_ROOMS_PER_REQUEST, MAX_UPDATE_DATA_SIZE constants
- Add maxLength constraint for update data strings
- Add maxItems constraint for rooms per request
- Add route-level validate_callback for request body size
- Improve can_user_sync_entity_type() to use ctype_digit() for object ID
  validation, verify post type matches, validate taxonomy terms exist in
  the correct taxonomy, and reject zero/negative object IDs
- Add comprehensive test coverage for new validation and permission checks

* Add backport changelog

---------

Co-authored-by: chriszarate <czarate@git.wordpress.org>
Co-authored-by: peterwilsoncc <peterwilsoncc@git.wordpress.org>
@github-actions github-actions bot added the Backported to WP Core Pull request that has been successfully merged into WP Core label Apr 2, 2026
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 2, 2026

I just cherry-picked this PR to the wp/7.0 branch to get it included in the next release: cd91928

@Mamaduka Mamaduka mentioned this pull request Apr 3, 2026
Merged
jorgefilipecosta added a commit to jorgefilipecosta/wordpress-develop that referenced this pull request Apr 6, 2026
@jorgefilipecosta
Build/Test Tools: Update Gutenberg packages.
150626f 
Gutenberg changelog:

- Style Book: Fix missing styles for classic themes in stylebook route (WordPress/gutenberg#76843)
- RTC: Fix stuck "Join" link in post list when lock expires (WordPress/gutenberg#76795)
- Icon: Fix center alignment in the editor for classic themes (WordPress/gutenberg#76878)
- RTC: Fix notes not syncing between collaborative editors (WordPress/gutenberg#76873)
- Latest Comments: Fix v1 deprecated block missing supports (WordPress/gutenberg#76877)
- Connectors: Add Akismet as a default connector (WordPress/gutenberg#76828)
- Restore with compaction update (WordPress/gutenberg#76872)
- Improve JSDoc for abilities API (WordPress/gutenberg#76824)
- Connectors: Replace plugin.slug with plugin.file (WordPress/gutenberg#76909)
- Block visibility badge: use canvas iframe for viewport detection (WordPress/gutenberg#76889)
- Connectors: Update help text from 'reset' to 'manage' (WordPress/gutenberg#76963)
- Connectors: Hide Akismet unless already installed (WordPress/gutenberg#76962)
- Wrap sync update processing in try/catch (WordPress/gutenberg#76968)
- Backport: Improve validation and permission checks for `WP_HTTP_Polling_Sync_Server` (WordPress/gutenberg#76987)
- Connectors: account for mu-plugins when resolving plugin.file status (WordPress/gutenberg#76994)
This was referenced Apr 6, 2026
Closed
Closed
pento pushed a commit to WordPress/wordpress-develop that referenced this pull request Apr 6, 2026
@jorgefilipecosta
Editor: Bump pinned hash for the Gutenberg repository.
fd34506 
This updates the pinned hash from the `gutenberg` from `0d133bf7e7437d65d68a06551f3d613a7d8e4361` to `e2970ba736edb99e08fb369d4fb0c378189468ee`.
The following changes are included:

- WordPress/gutenberg#76478 Boot: Fix black area below content when sidebar is taller than page c… (WordPress/gutenberg#76764)
- Style Book: Fix missing styles for classic themes in stylebook route (WordPress/gutenberg#76843)
- RTC: Fix stuck "Join" link in post list when lock expires (WordPress/gutenberg#76795)
- Icon: Fix center alignment in the editor for classic themes (WordPress/gutenberg#76878)
- RTC: Fix notes not syncing between collaborative editors (WordPress/gutenberg#76873)
- Latest Comments: Fix v1 deprecated block missing supports (WordPress/gutenberg#76877)
- Connectors: Add Akismet as a default connector (WordPress/gutenberg#76828)
- Restore with compaction update (WordPress/gutenberg#76872)
- Improve JSDoc for abilities API (WordPress/gutenberg#76824)
- Connectors: Replace plugin.slug with plugin.file (WordPress/gutenberg#76909)
- Block visibility badge: use canvas iframe for viewport detection (WordPress/gutenberg#76889)
- Connectors: Update help text from 'reset' to 'manage' (WordPress/gutenberg#76963)
- Connectors: Hide Akismet unless already installed (WordPress/gutenberg#76962)
- Wrap sync update processing in try/catch (WordPress/gutenberg#76968)
- Backport: Improve validation and permission checks for `WP_HTTP_Polling_Sync_Server` (WordPress/gutenberg#76987)
- Connectors: account for mu-plugins when resolving plugin.file status (WordPress/gutenberg#76994)


A full list of changes can be found on GitHub: https://github.com/WordPress/gutenberg/compare/0d133bf7e7437d65d68a06551f3d613a7d8e4361…e2970ba736edb99e08fb369d4fb0c378189468ee.

Log created with:

git log --reverse --format="- %s" 0d133bf7e7437d65d68a06551f3d613a7d8e4361..e2970ba736edb99e08fb369d4fb0c378189468ee | sed 's|#\([0-9][0-9]*\)|https://github.com/WordPress/gutenberg/pull/\1|g; /github\.com\/WordPress\/gutenberg\/pull/!d' | pbcopy

See #64595.

git-svn-id: https://develop.svn.wordpress.org/trunk@62209 602fd350-edb4-49c9-b593-d223f7449a82
markjaquith pushed a commit to markjaquith/WordPress that referenced this pull request Apr 6, 2026
@jorgefilipecosta
Editor: Bump pinned hash for the Gutenberg repository.
d1e3272 
This updates the pinned hash from the `gutenberg` from `0d133bf7e7437d65d68a06551f3d613a7d8e4361` to `e2970ba736edb99e08fb369d4fb0c378189468ee`.
The following changes are included:

- WordPress/gutenberg#76478 Boot: Fix black area below content when sidebar is taller than page c… (WordPress/gutenberg#76764)
- Style Book: Fix missing styles for classic themes in stylebook route (WordPress/gutenberg#76843)
- RTC: Fix stuck "Join" link in post list when lock expires (WordPress/gutenberg#76795)
- Icon: Fix center alignment in the editor for classic themes (WordPress/gutenberg#76878)
- RTC: Fix notes not syncing between collaborative editors (WordPress/gutenberg#76873)
- Latest Comments: Fix v1 deprecated block missing supports (WordPress/gutenberg#76877)
- Connectors: Add Akismet as a default connector (WordPress/gutenberg#76828)
- Restore with compaction update (WordPress/gutenberg#76872)
- Improve JSDoc for abilities API (WordPress/gutenberg#76824)
- Connectors: Replace plugin.slug with plugin.file (WordPress/gutenberg#76909)
- Block visibility badge: use canvas iframe for viewport detection (WordPress/gutenberg#76889)
- Connectors: Update help text from 'reset' to 'manage' (WordPress/gutenberg#76963)
- Connectors: Hide Akismet unless already installed (WordPress/gutenberg#76962)
- Wrap sync update processing in try/catch (WordPress/gutenberg#76968)
- Backport: Improve validation and permission checks for `WP_HTTP_Polling_Sync_Server` (WordPress/gutenberg#76987)
- Connectors: account for mu-plugins when resolving plugin.file status (WordPress/gutenberg#76994)


A full list of changes can be found on GitHub: https://github.com/WordPress/gutenberg/compare/0d133bf7e7437d65d68a06551f3d613a7d8e4361…e2970ba736edb99e08fb369d4fb0c378189468ee.

Log created with:

git log --reverse --format="- %s" 0d133bf7e7437d65d68a06551f3d613a7d8e4361..e2970ba736edb99e08fb369d4fb0c378189468ee | sed 's|#\([0-9][0-9]*\)|https://github.com/WordPress/gutenberg/pull/\1|g; /github\.com\/WordPress\/gutenberg\/pull/!d' | pbcopy

See #64595.
Built from https://develop.svn.wordpress.org/trunk@62209


git-svn-id: http://core.svn.wordpress.org/trunk@61489 1a063a9b-81f0-0310-95a4-ce76da25c4cd
pento pushed a commit to WordPress/wordpress-develop that referenced this pull request Apr 6, 2026
@jorgefilipecosta
Editor: Bump pinned hash for the Gutenberg repository.
c254f40 
This updates the pinned hash from the `gutenberg` from `0d133bf7e7437d65d68a06551f3d613a7d8e4361` to `e2970ba736edb99e08fb369d4fb0c378189468ee`.
The following changes are included:

- WordPress/gutenberg#76478 Boot: Fix black area below content when sidebar is taller than page c… (WordPress/gutenberg#76764)
- Style Book: Fix missing styles for classic themes in stylebook route (WordPress/gutenberg#76843)
- RTC: Fix stuck "Join" link in post list when lock expires (WordPress/gutenberg#76795)
- Icon: Fix center alignment in the editor for classic themes (WordPress/gutenberg#76878)
- RTC: Fix notes not syncing between collaborative editors (WordPress/gutenberg#76873)
- Latest Comments: Fix v1 deprecated block missing supports (WordPress/gutenberg#76877)
- Connectors: Add Akismet as a default connector (WordPress/gutenberg#76828)
- Restore with compaction update (WordPress/gutenberg#76872)
- Improve JSDoc for abilities API (WordPress/gutenberg#76824)
- Connectors: Replace plugin.slug with plugin.file (WordPress/gutenberg#76909)
- Block visibility badge: use canvas iframe for viewport detection (WordPress/gutenberg#76889)
- Connectors: Update help text from 'reset' to 'manage' (WordPress/gutenberg#76963)
- Connectors: Hide Akismet unless already installed (WordPress/gutenberg#76962)
- Wrap sync update processing in try/catch (WordPress/gutenberg#76968)
- Backport: Improve validation and permission checks for `WP_HTTP_Polling_Sync_Server` (WordPress/gutenberg#76987)
- Connectors: account for mu-plugins when resolving plugin.file status (WordPress/gutenberg#76994)


A full list of changes can be found on GitHub: https://github.com/WordPress/gutenberg/compare/0d133bf7e7437d65d68a06551f3d613a7d8e4361…e2970ba736edb99e08fb369d4fb0c378189468ee.

Log created with:

git log --reverse --format="- %s" 0d133bf7e7437d65d68a06551f3d613a7d8e4361..e2970ba736edb99e08fb369d4fb0c378189468ee | sed 's|#\([0-9][0-9]*\)|https://github.com/WordPress/gutenberg/pull/\1|g; /github\.com\/WordPress\/gutenberg\/pull/!d' | pbcopy

See #64595.

git-svn-id: https://develop.svn.wordpress.org/branches/7.0@62212 602fd350-edb4-49c9-b593-d223f7449a82
markjaquith pushed a commit to markjaquith/WordPress that referenced this pull request Apr 6, 2026
@jorgefilipecosta
Editor: Bump pinned hash for the Gutenberg repository.
a4989ae 
This updates the pinned hash from the `gutenberg` from `0d133bf7e7437d65d68a06551f3d613a7d8e4361` to `e2970ba736edb99e08fb369d4fb0c378189468ee`.
The following changes are included:

- WordPress/gutenberg#76478 Boot: Fix black area below content when sidebar is taller than page c… (WordPress/gutenberg#76764)
- Style Book: Fix missing styles for classic themes in stylebook route (WordPress/gutenberg#76843)
- RTC: Fix stuck "Join" link in post list when lock expires (WordPress/gutenberg#76795)
- Icon: Fix center alignment in the editor for classic themes (WordPress/gutenberg#76878)
- RTC: Fix notes not syncing between collaborative editors (WordPress/gutenberg#76873)
- Latest Comments: Fix v1 deprecated block missing supports (WordPress/gutenberg#76877)
- Connectors: Add Akismet as a default connector (WordPress/gutenberg#76828)
- Restore with compaction update (WordPress/gutenberg#76872)
- Improve JSDoc for abilities API (WordPress/gutenberg#76824)
- Connectors: Replace plugin.slug with plugin.file (WordPress/gutenberg#76909)
- Block visibility badge: use canvas iframe for viewport detection (WordPress/gutenberg#76889)
- Connectors: Update help text from 'reset' to 'manage' (WordPress/gutenberg#76963)
- Connectors: Hide Akismet unless already installed (WordPress/gutenberg#76962)
- Wrap sync update processing in try/catch (WordPress/gutenberg#76968)
- Backport: Improve validation and permission checks for `WP_HTTP_Polling_Sync_Server` (WordPress/gutenberg#76987)
- Connectors: account for mu-plugins when resolving plugin.file status (WordPress/gutenberg#76994)


A full list of changes can be found on GitHub: https://github.com/WordPress/gutenberg/compare/0d133bf7e7437d65d68a06551f3d613a7d8e4361…e2970ba736edb99e08fb369d4fb0c378189468ee.

Log created with:

git log --reverse --format="- %s" 0d133bf7e7437d65d68a06551f3d613a7d8e4361..e2970ba736edb99e08fb369d4fb0c378189468ee | sed 's|#\([0-9][0-9]*\)|https://github.com/WordPress/gutenberg/pull/\1|g; /github\.com\/WordPress\/gutenberg\/pull/!d' | pbcopy

See #64595.
Built from https://develop.svn.wordpress.org/branches/7.0@62212


git-svn-id: http://core.svn.wordpress.org/branches/7.0@61492 1a063a9b-81f0-0310-95a4-ce76da25c4cd
adamsilverstein pushed a commit that referenced this pull request Apr 7, 2026
@chriszarate @peterwilsoncc @adamsilverstein
Backport: Improve validation and permission checks for `WP_HTTP_Polli…
2c25111 
…ng_Sync_Server` (#76987)

* Backport: Improve validation and permission checks for WP_HTTP_Polling_Sync_Server

Backport of WordPress/wordpress-develop#11296.

Hardens WP_HTTP_Polling_Sync_Server endpoints with additional validation
and permission checks:

- Add MAX_BODY_SIZE, MAX_ROOMS_PER_REQUEST, MAX_UPDATE_DATA_SIZE constants
- Add maxLength constraint for update data strings
- Add maxItems constraint for rooms per request
- Add route-level validate_callback for request body size
- Improve can_user_sync_entity_type() to use ctype_digit() for object ID
  validation, verify post type matches, validate taxonomy terms exist in
  the correct taxonomy, and reject zero/negative object IDs
- Add comprehensive test coverage for new validation and permission checks

* Add backport changelog

---------

Co-authored-by: chriszarate <czarate@git.wordpress.org>
Co-authored-by: peterwilsoncc <peterwilsoncc@git.wordpress.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@peterwilsoncc peterwilsoncc peterwilsoncc approved these changes

@spacedmonkey spacedmonkey Awaiting requested review from spacedmonkey spacedmonkey is a code owner

Assignees

No one assigned

Labels

Backported to WP Core Pull request that has been successfully merged into WP Core [Feature] Real-time Collaboration Phase 3 of the Gutenberg roadmap around real-time collaboration [Type] Task Issues or PRs that have been broken down into an individual action to take

Projects

None yet

Milestone

Gutenberg 23.0

Development

Successfully merging this pull request may close these issues.

2 participants

@chriszarate @peterwilsoncc