Changeset 42011 for trunk/src/wp-includes/functions.php

Timestamp:

10/24/2017 11:14:33 PM (8 years ago)

Author:

johnbillion

Message:

Filesystem API: Add more specificity to the rules for valid files in validate_file().

This now treats files containing ./ as valid, and also treats files containing a trailing ../ as valid due to widespread use of this pattern in theme and plugin zip files.

Adds tests.

Props Ipstenu, borgesbruno, DavidAnderson, philipjohn, birgire
Fixes #42016, #36170

File:

• trunk/src/wp-includes/functions.php (modified) (1 diff)

trunk/src/wp-includes/functions.php

@@ -4253 +4253 @@
  * @return int 0 means nothing is wrong, greater than 0 means something was wrong.
  */
-function validate_file( $file, $allowed_files = '' ) {
-    if ( false !== strpos( $file, '..' ) )
+function validate_file( $file, $allowed_files = array() ) {
+    // `../` on its own is not allowed:
+    if ( '../' === $file ) {
         return 1;
-
-    if ( false !== strpos( $file, './' ) )
+    }
+
+    // More than one occurence of `../` is not allowed:
+    if ( preg_match_all( '#\.\./#', $file, $matches, PREG_SET_ORDER ) && ( count( $matches ) > 1 ) ) {
         return 1;
-
+    }
+
+    // `../` which does not occur at the end of the path is not allowed:
+    if ( false !== strpos( $file, '../' ) && '../' !== mb_substr( $file, -3, 3 ) ) {
+        return 1;
+    }
+
+    // Files not in the allowed file list are not allowed:
     if ( ! empty( $allowed_files ) && ! in_array( $file, $allowed_files ) )
         return 3;
 
+    // Absolute Windows drive paths are not allowed:
     if (':' == substr( $file, 1, 1 ) )
         return 2;