WordPress.org
Get WordPress

Make WordPress Core

Changeset 2019


Ignore:
Timestamp:
12/30/2004 06:05:46 PM (18 years ago)
Author:
rboren
Message:

Do not allow .. anywhere in the filename.

Location:
trunk/wp-admin
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/wp-admin/admin-functions.php

    r2006 r2019  
    761761}
    762762
     763function validate_file($file, $allowed_files = '') {
     764    if ( false !== strpos($file, './'))
     765        return 1;
     766   
     767    if (':' == substr($file,1,1))
     768        return 2;
     769
     770    if ( !empty($allowed_files) && (! in_array($file, $allowed_files)) )
     771        return 3;
     772
     773    return 0;
     774}
     775
    763776function validate_file_to_edit($file, $allowed_files = '') {
    764     if ('..' == substr($file,0,2))
     777    $file = stripslashes($file);
     778
     779    $code = validate_file($file, $allowed_files);
     780
     781    if (! $code)
     782        return $file;
     783
     784    switch ($code) {
     785    case 1:
    765786        die (__('Sorry, can’t edit files with ".." in the name. If you are trying to edit a file in your WordPress home directory, you can just type the name of the file in.'));
    766787   
    767     if (':' == substr($file,1,1))
     788    case 2:
    768789        die (__('Sorry, can’t call files with their real path.'));
    769790
    770     if ( !empty($allowed_files) && (! in_array($file, $allowed_files)) ) {
     791    case 3:
    771792        die (__('Sorry, that file cannot be edited.'));
    772793    }
    773    
    774     $file = stripslashes($file);
    775 
    776     return $file;
    777794}
    778795

  • trunk/wp-admin/admin.php

    r1983 r2019  
    4343if (isset($_GET['page'])) {
    4444    $plugin_page = plugin_basename($_GET['page']);
    45     if (! file_exists(ABSPATH . "wp-content/plugins/$plugin_page")) {
    46         die(sprintf(__('Cannot load %s.'), $plugin_page));
     45    if ( validate_file($plugin_page) ) {
     46        die(__('Invalid plugin page'));
    4747    }
    4848
    49     if (! isset($_GET['noheader'])) {
     49    if (! file_exists(ABSPATH . "wp-content/plugins/$plugin_page"))
     50        die(sprintf(__('Cannot load %s.'), $plugin_page));
     51
     52    if (! isset($_GET['noheader']))
    5053        require_once(ABSPATH . '/wp-admin/admin-header.php');
    51     }
    5254
    5355    include(ABSPATH . "wp-content/plugins/$plugin_page");
Note: See TracChangeset for help on using the changeset viewer.