WordPress.org

Make WordPress Core

Changeset 46482


Ignore:
Timestamp:
10/14/2019 04:12:33 PM (4 weeks ago)
Author:
whyisjake
Message:

Filesystem API: Prevent directory travelersals when creating new folders.

Reject file paths that contain sub-directory paths.

Backports [46476] to the 5.2 branch.

Props iandunn, xknown, sstoqnov, whyisjake.

Location:
branches/5.2
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/5.2

  • branches/5.2/src/wp-includes/functions.php

    r45353 r46482  
    17861786    if ( file_exists( $target ) ) {
    17871787        return @is_dir( $target );
     1788    }
     1789
     1790    // Do not allow path traversals.
     1791    if ( false !== strpos( $target, '../' ) || false !== strpos( $target, '..' . DIRECTORY_SEPARATOR ) ) {
     1792        return false;
    17881793    }
    17891794
Note: See TracChangeset for help on using the changeset viewer.