REST API: Add dimension validation to sideload endpoint#11100
Open
adamsilverstein wants to merge 25 commits intoWordPress:trunkfrom
Open
REST API: Add dimension validation to sideload endpoint#11100adamsilverstein wants to merge 25 commits intoWordPress:trunkfrom
adamsilverstein wants to merge 25 commits intoWordPress:trunkfrom
Conversation
When client-side media processing handles big image scaling, the client creates a -scaled version and sideloads it back. The sideload route's image_size enum was missing 'scaled', causing 400 validation errors. This adds 'scaled' to the enum, adds handling in sideload_item() to record the original file and update the attachment to point to the scaled version, and updates the unique filename filter regex to recognize the -scaled suffix.
Add 'scaled' to the image_size enum in wp-api-generated.js to match the PHP route registration change, fixing the git diff --exit-code CI check. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add tests for the new 'scaled' image_size enum value in the sideload endpoint: verifying metadata updates, authentication requirements, route schema, and unique filename handling for the -scaled suffix. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
get_attached_file() can return false when no file is attached. Add a guard to return a WP_Error before calling wp_basename() with a falsy value.
The sideload route uses edit_media_item_permissions_check which returns rest_cannot_edit_image, not rest_forbidden.
|
The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the Core Committers: Use this line as a base for the props when committing in SVN: To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook. |
Test using WordPress PlaygroundThe changes in this pull request can previewed and tested using a WordPress Playground instance. WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser. Some things to be aware of
For more details about these limitations and more, check out the Limitations page in the WordPress Playground documentation. |
apermo
reviewed
Mar 1, 2026
src/wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php
Outdated
Show resolved
Hide resolved
src/wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php
Outdated
Show resolved
Hide resolved
src/wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php
Outdated
Show resolved
Hide resolved
adamsilverstein
requested review from
apermo,
swissspidy and
westonruter
and removed request for
apermo
apermo
reviewed
Mar 2, 2026
src/wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php
Outdated
Show resolved
Hide resolved
apermo
reviewed
Mar 2, 2026
apermo
left a comment
apermo
left a comment
There was a problem hiding this comment.
I like the changes, I personally prefer to avoid truthy conditions as long as the alternative is simple enough, so I would go for the if ( is_array() ) other than that looks good to me
westonruter
reviewed
Mar 2, 2026
src/wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php
Outdated
Show resolved
Hide resolved
Member
Author
|
This worked well in my manual testing. |
Addresses review feedback to assert the value of metadata['file'], not just its existence.
Avoids repeating the string literal for the array key in the enum assertion test.
Verifies that sideloading a scaled image retains the numeric suffix when a file with the same name already exists from a different attachment.
The $number parameter in filter_wp_unique_filename is typed as int|string. Casting to (int) before interpolation into the preg_match pattern ensures regex safety regardless of any future changes to what $number might contain.
westonruter
reviewed
Mar 3, 2026
src/wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php
Show resolved
Hide resolved
5 tasks
Co-authored-by: Weston Ruter <westonruter@gmail.com>
Co-authored-by: Weston Ruter <westonruter@gmail.com>
Check whether _wp_attached_file already matches $path before calling update_attached_file(), since a false return could mean the value is unchanged. Return a WP_Error when the meta value differs but the update still fails.
Per review feedback, use ! is_int( $number ) as the guard since $number is either an int or an empty string. This is more precise than empty() and allows removing the (int) cast in the regex since $number is guaranteed to be an int.
Checks image dimensions and filesize before calling update_attached_file() to avoid leaving the attachment in a bad state if the scaled file is unreadable or empty.
Move the literal dash outside the capture group so the regex reads `/(.*)-(\d+x\d+|scaled)-/` instead of alternating `(-\d+x\d+|-scaled)`. This keeps the dash handling consistent and simplifies the filename reconstruction. Props westonruter. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Validates uploaded image dimensions against expected size constraints in the wp/v2/media/<id>/sideload endpoint. This prevents users from uploading incorrectly-sized images for a specified image size. Validation rules: - 'original' size: must match original attachment dimensions exactly. - 'full' and 'scaled' sizes: requires positive dimensions only. - Regular sizes: dimensions must not exceed registered size maximums (with 1px tolerance for rounding differences). Also adds two new test cases for dimension validation. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Move the positive-dimensions check to the top of validate_image_dimensions() to apply it universally and eliminate duplication. Reorder sprintf args in the dimension mismatch message to match display order, reducing cognitive load. Props apermo. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…ontroller.php Co-authored-by: Christoph Daum <c.daum@me.com>
adamsilverstein
force-pushed
the
add-dimension-validation-to-sideload
branch
from
5d87ca6 to
5474fcd
Compare
Trac Ticket MissingThis pull request is missing a link to a Trac ticket. For a contribution to be considered, there must be a corresponding ticket in Trac. To attach a pull request to a Trac ticket, please include the ticket's full URL in your pull request description. More information about contributing to WordPress on GitHub can be found in the Core Handbook. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Builds on #11015. Adds dimension validation to the sideload endpoint.
validate_image_dimensions()private method toWP_REST_Attachments_Controllerwp/v2/media/<id>/sideloadendpointwp_getimagesize()call earlier insideload_item()to validate before metadata handlingValidation rules:
Test plan
test_sideload_item_rejects_oversized_dimensions— uploads 640x480 image as thumbnail (150x150), expects 400 withrest_upload_dimension_mismatchtest_sideload_item_accepts_valid_dimensions— uploads 50x50 image as thumbnail, expects 200Corresponding Gutenberg PR: WordPress/gutenberg#74903
🤖 Generated with Claude Code