WordPress.org

Make WordPress Core


Ignore:
Timestamp:
07/05/2018 02:31:24 PM (3 years ago)
Author:
johnbillion
Message:

Media: Limit thumbnail file deletions to the same directory as the original file.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/functions.php

    r43389 r43392  
    58495849
    58505850/**
     5851 * Deletes a file if its path is within the given directory.
     5852 *
     5853 * @since 4.9.7
     5854 *
     5855 * @param string $file      Absolute path to the file to delete.
     5856 * @param string $directory Absolute path to a directory.
     5857 * @return bool True on success, false on failure.
     5858 */
     5859function wp_delete_file_from_directory( $file, $directory ) {
     5860    $real_file = realpath( wp_normalize_path( $file ) );
     5861    $real_directory = realpath( wp_normalize_path( $directory ) );
     5862
     5863    if ( false === $real_file || false === $real_directory || strpos( wp_normalize_path( $real_file ), trailingslashit( wp_normalize_path( $real_directory ) ) ) !== 0 ) {
     5864        return false;
     5865    }
     5866
     5867    wp_delete_file( $file );
     5868
     5869    return true;
     5870}
     5871
     5872/**
    58515873 * Outputs a small JS snippet on preview tabs/windows to remove `window.name` on unload.
    58525874 *
Note: See TracChangeset for help on using the changeset viewer.