Make WordPress Core

Context Navigation

← Previous Change
Next Change →

Changeset 46493 for branches/4.9/src/wp-includes/functions.php

Timestamp:

10/14/2019 06:38:34 PM (7 years ago)

Author:

whyisjake

Message:

Backporting several bug fixes.

Query: Remove the static query property.
HTTP API: Protect against hex interpretation.
Filesystem API: Prevent directory travelersals when creating new folders.
Administration: Ensure that admin referer nonce is valid.
REST API: Send a Vary: Origin header on GET requests.

Backports [46474], [46475], [46476], [46477], [46478], [46483], [46485] to the 5.0 branch.

File:

: 1 edited

branches/4.9/src/wp-includes/functions.php (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

branches/4.9/src/wp-includes/functions.php

-                      r43989
+                      r46493
     if ( file_exists( $target ) )
         return @is_dir( $target );
+    // Do not allow path traversals.
+    if ( false !== strpos( $target, '../' ) || false !== strpos( $target, '..' . DIRECTORY_SEPARATOR ) ) {
+        return false;
+    }
     // We need to find the permissions of the parent folder that exists and inherit that.

Note: See TracChangeset for help on using the changeset viewer.

Trac UI Preferences

Download in other formats: