Changeset 43392 for trunk/src/wp-includes/functions.php

Timestamp:

07/05/2018 02:31:24 PM (5 years ago)

Author:

johnbillion

Message:

Media: Limit thumbnail file deletions to the same directory as the original file.

File:

• trunk/src/wp-includes/functions.php (modified) (1 diff)

trunk/src/wp-includes/functions.php

@@ -5849 +5849 @@
 
 /**
+ * Deletes a file if its path is within the given directory.
+ *
+ * @since 4.9.7
+ *
+ * @param string $file      Absolute path to the file to delete.
+ * @param string $directory Absolute path to a directory.
+ * @return bool True on success, false on failure.
+ */
+function wp_delete_file_from_directory( $file, $directory ) {
+    $real_file = realpath( wp_normalize_path( $file ) );
+    $real_directory = realpath( wp_normalize_path( $directory ) );
+
+    if ( false === $real_file || false === $real_directory || strpos( wp_normalize_path( $real_file ), trailingslashit( wp_normalize_path( $real_directory ) ) ) !== 0 ) {
+        return false;
+    }
+
+    wp_delete_file( $file );
+
+    return true;
+}
+
+/**
  * Outputs a small JS snippet on preview tabs/windows to remove `window.name` on unload.
  *