Make WordPress Core

Ticket #48316: 48316.diff

File 48316.diff, 1.2 KB (added by DreadLox, 5 years ago)

Patch to better check that directory traversal still is allowed base directories

  • src/wp-includes/functions.php

    diff --git a/src/wp-includes/functions.php b/src/wp-includes/functions.php
    index f8255dd262..28be37cf43 100644
    a b function wp_mkdir_p( $target ) { 
    19241924        }
    19251925
    19261926        // Do not allow path traversals.
    1927         if ( false !== strpos( $target, '../' ) || false !== strpos( $target, '..' . DIRECTORY_SEPARATOR ) ) {
    1928                 return false;
     1927        if (1 === validate_file($target)) {
     1928                $_sanitized_target = str_replace('/', DIRECTORY_SEPARATOR, $target);
     1929                $_target_parts     = explode('/', $_sanitized_target);
     1930
     1931                $keys = array_keys($_target_parts, '..');
     1932                foreach ($keys AS $keypos => $key) {
     1933                        array_splice($_target_parts, $key - ($keypos * 2 + 1), 2);
     1934                }
     1935                $_sanitized_target = implode(DIRECTORY_SEPARATOR, $_target_parts);
     1936
     1937                $_allowed_base_directories = apply_filters('allowed_base_directories', [ABSPATH]);
     1938                $_allowed                  = false;
     1939
     1940                foreach ($_allowed_base_directories AS $_allowed_base_directory) {
     1941                        if (0 === strpos($_sanitized_target, $_allowed_base_directory)) {
     1942                                $_allowed = true;
     1943                                break;
     1944                        }
     1945                }
     1946
     1947                if ( ! $_allowed) {
     1948                        return false;
     1949                }
    19291950        }
    19301951
    19311952        // We need to find the permissions of the parent folder that exists and inherit that.