Make WordPress Core


Ignore:
Timestamp:
04/18/2024 03:15:50 AM (8 months ago)
Author:
peterwilsoncc
Message:

Upgrade/Install: Validate source & destination values in WP_Ugrader.

Adds a missing string and some additional validation of paths in the upgrader class.

Follow up to [56992].

Props costdev, jipmoors, karlijnbok, swissspidy, afragen, mukesh27.
Fixes #59712.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/includes/class-wp-upgrader.php

    r56550 r58022  
    197197        $this->strings['fs_no_folder'] = __( 'Unable to locate needed folder (%s).' );
    198198
     199        $this->strings['no_package']           = __( 'Package not available.' );
    199200        $this->strings['download_failed']      = __( 'Download failed.' );
    200201        $this->strings['installing_package']   = __( 'Installing the latest version…' );
     
    528529        }
    529530
    530         if ( empty( $source ) || empty( $destination ) ) {
     531        if (
     532            ( ! is_string( $source ) || '' === $source || trim( $source ) !== $source ) ||
     533            ( ! is_string( $destination ) || '' === $destination || trim( $destination ) !== $destination )
     534        ) {
    531535            return new WP_Error( 'bad_request', $this->strings['bad_request'] );
    532536        }
Note: See TracChangeset for help on using the changeset viewer.