diff --git a/src/wp-includes/functions.php b/src/wp-includes/functions.php
index f8255dd262..28be37cf43 100644
a
|
b
|
function wp_mkdir_p( $target ) { |
1924 | 1924 | } |
1925 | 1925 | |
1926 | 1926 | // Do not allow path traversals. |
1927 | | if ( false !== strpos( $target, '../' ) || false !== strpos( $target, '..' . DIRECTORY_SEPARATOR ) ) { |
1928 | | return false; |
| 1927 | if (1 === validate_file($target)) { |
| 1928 | $_sanitized_target = str_replace('/', DIRECTORY_SEPARATOR, $target); |
| 1929 | $_target_parts = explode('/', $_sanitized_target); |
| 1930 | |
| 1931 | $keys = array_keys($_target_parts, '..'); |
| 1932 | foreach ($keys AS $keypos => $key) { |
| 1933 | array_splice($_target_parts, $key - ($keypos * 2 + 1), 2); |
| 1934 | } |
| 1935 | $_sanitized_target = implode(DIRECTORY_SEPARATOR, $_target_parts); |
| 1936 | |
| 1937 | $_allowed_base_directories = apply_filters('allowed_base_directories', [ABSPATH]); |
| 1938 | $_allowed = false; |
| 1939 | |
| 1940 | foreach ($_allowed_base_directories AS $_allowed_base_directory) { |
| 1941 | if (0 === strpos($_sanitized_target, $_allowed_base_directory)) { |
| 1942 | $_allowed = true; |
| 1943 | break; |
| 1944 | } |
| 1945 | } |
| 1946 | |
| 1947 | if ( ! $_allowed) { |
| 1948 | return false; |
| 1949 | } |
1929 | 1950 | } |
1930 | 1951 | |
1931 | 1952 | // We need to find the permissions of the parent folder that exists and inherit that. |