WordPress.org

Make WordPress Core

Changeset 25180


Ignore:
Timestamp:
08/30/2013 07:34:24 AM (6 years ago)
Author:
dd32
Message:

Theme Upgrader: Be super-careful and check the contents of the $wp_theme_directories variable before merging it, if someone has changed it directly, or worse, unset it, this could've resulted in the $protected_directories being empty. See [25082] See #22501

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/includes/class-wp-upgrader.php

    r25082 r25180  
    213213        // Theme_Upgrader & Plugin_Upgrader also trigger this, as they pass the destination directory (WP_PLUGIN_DIR / wp-content/themes)
    214214        // intending to copy the directory into the directory, whilst they pass the source as the actual files to copy.
    215         if ( in_array( $destination, array_merge( array( ABSPATH, WP_CONTENT_DIR, WP_PLUGIN_DIR, WP_CONTENT_DIR . '/themes' ), $wp_theme_directories ) ) ) {
     215        $protected_directories = array( ABSPATH, WP_CONTENT_DIR, WP_PLUGIN_DIR, WP_CONTENT_DIR . '/themes' );
     216        if ( is_array( $wp_theme_directories ) )
     217            $protected_directories = array_merge( $protected_directories, $wp_theme_directories );
     218        if ( in_array( $destination, $protected_directories ) ) {
    216219            $remote_destination = trailingslashit($remote_destination) . trailingslashit(basename($source));
    217220            $destination = trailingslashit($destination) . trailingslashit(basename($source));
Note: See TracChangeset for help on using the changeset viewer.