WordPress.org

Make WordPress Core

Ticket #42986: implement.diff

File implement.diff, 3.0 KB (added by lenon, 3 years ago)

diff with new idea to help security on remove files

  • wp-includes/functions.php

    diff --git a/wp-includes/functions.php b/wp-includes/functions.php
    index 9200d04..fd60560 100644
    a b function wp_validate_boolean( $var ) { 
    57375737 * Delete a file
    57385738 *
    57395739 * @since 4.2.0
    5740  * @since 4.7.2 Added the $unblock_directories parameter and default filters.
    57415740 *
    5742  * @param string $file                The path to the file to delete.
    5743  * @param array  $unblock_directories By default path core directories are block and $unblock_directories are clear.
    5744  *                                    To unblock core folders you need set in array names ROOT, WP_CONTENT_DIR,
    5745  *                                    WP_ADMIN_DIR or WP_INCLUDE_DIR.
     5741 * @param string $file The path to the file to delete.
     5742 * @param array $directories_unblock Are directory to unblocked. They are ROOT, WP_CONTENT_DIR, WP_ADMIN_DIR
     5743 *                                   and WP_INCLUDE_DIR.
     5744 * @return bool Whether the param is invalidated.
    57465745 */
    5747 function wp_delete_file( $file, $unblock_directories = array() ) {
     5746function wp_delete_file( $file, $directories_unblock = array() ) {
    57485747
    57495748        // Default Filters the path of the file to delete.
    5750         $path_blocked = array(
    5751                 'ROOT' => realpath( untrailingslashit( ABSPATH ) ), // Root path folder.
    5752                 'WP_CONTENT_DIR' => realpath( WP_CONTENT_DIR ), // wp-content path folder.
    5753                 'WP_ADMIN_DIR' => realpath( ABSPATH . 'wp-admin'), // wp-admin path folder.
    5754                 'WP_INCLUDE_DIR' => realpath( ABSPATH . WPINC ) // wp-incluide path folder.
    5755     );
    5756 
    5757         $path_blocked     = array_diff_key( $path_blocked, array_flip( $unblock_directories ) );
    5758         $file_folder_path = realpath( ltrim( dirname( $file ), DIRECTORY_SEPARATOR ) );
    5759 
    5760         if ( in_array( $file_folder_path, $path_blocked, true) )  {
    5761                 return;
     5749        $path_blocked['ROOT']           = rtrim( ABSPATH, '/' );
     5750        $path_blocked['WP_CONTENT_DIR'] = WP_CONTENT_DIR;
     5751        $path_blocked['WP_ADMIN_DIR']   = ABSPATH . 'wp-admin';
     5752        $path_blocked['WP_INCLUDE_DIR'] = realpath( ABSPATH . WPINC );
     5753        $path_blocked                   = array_diff_key( $path_blocked, array_flip( $directories_unblock ) );
     5754        $file_folder_path               = realpath( ltrim( dirname( $file ), '/' ) );
     5755
     5756        if ( in_array( $file_folder_path, $path_blocked ) ) {
     5757                return false;
    57625758        }
    57635759
    57645760        /**
    57655761         * Filters the path of the file to delete.
    57665762         *
    5767          * @since 4.2.0
    5768          * @since 4.7.2 Added the $unblock_directories parameter and default filters.
    5769      *
    5770          * @param string $file                Path to the file to delete.
    5771          * @param array  $unblock_directories By default path core directories are block and $unblock_directories are clear.
    5772          *                                    To unblock core folders you need set in array names ROOT, WP_CONTENT_DIR,
    5773          *                                    WP_ADMIN_DIR or WP_INCLUDE_DIR.
     5763         * @since 2.1.0
     5764         * @param string $file Path to the file to delete.
    57745765         */
    5775         $delete = apply_filters( 'wp_delete_file', $file, $unblock_directories );
     5766        $delete = apply_filters( 'wp_delete_file', $file );
    57765767        if ( ! empty( $delete ) ) {
    57775768                @unlink( $delete );
    57785769        }