WordPress.org

Make WordPress Core

Ticket #20074: 20074.5.diff

File 20074.5.diff, 1.7 KB (added by dd32, 7 years ago)
  • src/wp-admin/includes/file.php

     
    485485                return new WP_Error( 'http_404', trim( wp_remote_retrieve_response_message( $response ) ) );
    486486        }
    487487
     488        $content_md5 = wp_remote_retrieve_header( $response, 'content-md5' );
     489        if ( $content_md5 ) {
     490                $md5_check = verify_file_md5( $tmpfname, $content_md5 );
     491                if ( is_wp_error( $md5_check ) ) {
     492                        unlink( $tmpfname );
     493                        return $md5_check;
     494                }
     495        }
     496
    488497        return $tmpfname;
    489498}
    490499
    491500/**
     501 * Calculates and compares the MD5 of a file to it's expected value.
     502 *
     503 * @since 3.7.0
     504 *
     505 * @param string $filename The filename to check the MD5 of.
     506 * @param string $expected_md5 The expected MD5 of the file, either a base64 encoded raw md5, or a hex-encoded md5
     507 * @return mixed WP_Error on failure, true on success.
     508 */
     509function verify_file_md5( $filename, $expected_md5 ) {
     510        if ( 32 == strlen( $expected_md5 ) )
     511                $expected_raw_md5 = pack( 'H*', $expected_md5 );
     512        elseif ( 24 == strlen( $expected_md5 ) )
     513                $expected_raw_md5 = base64_decode( $expected_md5 );
     514        else
     515                return true; // unknown format
     516
     517        $file_md5 = md5_file( $filename, true );
     518
     519        if ( $file_md5 === $expected_raw_md5 )
     520                return true;
     521
     522        return new WP_Error( 'md5_mismatch', sprintf( __( 'The checksum of the file (%1$s) does not match the expected checksum value (%2$s).' ), bin2hex( $file_md5 ), bin2hex( $expected_raw_md5 ) ) );
     523}
     524
     525/**
    492526 * Unzips a specified ZIP file to a location on the Filesystem via the WordPress Filesystem Abstraction.
    493527 * Assumes that WP_Filesystem() has already been called and set up. Does not extract a root-level __MACOSX directory, if present.
    494528 *