Verify post_id and preview_nonce before triggering AMP validation

ampproject · Feb 26, 2021 · 669fdce · 669fdce
1 parent 6fe44f9
commit 669fdce
Showing 1 changed file with 15 additions and 3 deletions.
diff --git a/src/Validation/URLValidationRESTController.php b/src/Validation/URLValidationRESTController.php
@@ -79,9 +79,13 @@ public function register() {
 			[
 				'args'   => [
 					'id'            => [
-						'description' => __( 'Unique identifier for the object.', 'amp' ),
-						'required'    => true,
-						'type'        => 'integer',
+						'description'       => __( 'Unique identifier for the object.', 'amp' ),
+						'required'          => true,
+						'type'              => 'integer',
+						'validate_callback' => function ( $id ) {
+							// Ensure the ID refers to an actual post.
+							return null !== get_post( $id );
+						},
 					],
 					'preview_nonce' => [
 						'description' => __( 'Preview nonce string.', 'amp' ),
@@ -132,6 +136,14 @@ public function validate_post_url( $request ) {
 		$url           = amp_get_permalink( $post_id );
 
 		if ( ! empty( $preview_nonce ) ) {
+			// Verify the preview nonce is valid.
+			if ( false === wp_verify_nonce( $preview_nonce, 'post_preview_' . $post_id ) ) {
+				return new WP_REST_Response(
+					[ 'error' => __( 'Sorry, you are not allowed to validate drafts.', 'amp' ) ],
+					403
+				);
+			}
+
 			$url = add_query_arg(
 				[
 					'preview'       => 1,