WordPress.org

Make WordPress Core


Ignore:
Timestamp:
10/14/2019 06:38:34 PM (2 months ago)
Author:
whyisjake
Message:

Backporting several bug fixes.

  • Query: Remove the static query property.
  • HTTP API: Protect against hex interpretation.
  • Filesystem API: Prevent directory travelersals when creating new folders.
  • Administration: Ensure that admin referer nonce is valid.
  • REST API: Send a Vary: Origin header on GET requests.

Backports [46474], [46475], [46476], [46477], [46478], [46483], [46485] to the 5.0 branch.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/4.9/src/wp-includes/functions.php

    r43989 r46493  
    16131613    if ( file_exists( $target ) )
    16141614        return @is_dir( $target );
     1615
     1616    // Do not allow path traversals.
     1617    if ( false !== strpos( $target, '../' ) || false !== strpos( $target, '..' . DIRECTORY_SEPARATOR ) ) {
     1618        return false;
     1619    }
    16151620
    16161621    // We need to find the permissions of the parent folder that exists and inherit that.
Note: See TracChangeset for help on using the changeset viewer.