Make WordPress Core

Changeset 58808


Ignore:
Timestamp:
07/25/2024 04:33:50 PM (3 months ago)
Author:
jorbin
Message:

Filesystem: Normalize allowed_files so comparison is apples to apples.

In [58470] a change was made to normalize the filename in validate_file, however this leads to instances where the list of files that are allowed aren't normalized such as in the theme editor. By normalizing the array, the comparison is apples to apples.

Reviewed by hellofromTonya.
Merges 58570 to the 6.5 branch.

Fixes #61488.
Props jorbin, hellofromtonya, swissspidy, misulicus, script2see, Presskopp, audrasjb, peterwilsoncc, siliconforks, littler.chicken, paulkevan,

Location:
branches/6.5
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • branches/6.5

  • branches/6.5/src/wp-includes/functions.php

    r58474 r58808  
    61936193    }
    61946194
    6195     // Normalize path for Windows servers
     6195    // Normalize path for Windows servers.
    61966196    $file = wp_normalize_path( $file );
     6197    // Normalize path for $allowed_files as well so it's an apples to apples comparison.
     6198    $allowed_files = array_map( 'wp_normalize_path', $allowed_files );
    61976199
    61986200    // `../` on its own is not allowed:
  • branches/6.5/tests/phpunit/tests/functions.php

    r58050 r58808  
    17941794     *
    17951795     * @ticket 42016
     1796     * @ticket 61488
    17961797     * @dataProvider data_validate_file
    17971798     *
     
    19121913                array( 'C:/WINDOWS/system32' ),
    19131914                2,
     1915            ),
     1916
     1917            // Windows Path with allowed file
     1918            array(
     1919                'Apache24\htdocs\wordpress/wp-content/themes/twentyten/style.css',
     1920                array( 'Apache24\htdocs\wordpress/wp-content/themes/twentyten/style.css' ),
     1921                0,
    19141922            ),
    19151923
Note: See TracChangeset for help on using the changeset viewer.