#33615 closed defect (bug) (fixed)
Multisite: It is possible to create sites with wp-content, wp-admin or wp-includes as path
Reported by: | thomaswm | Owned by: | chriscct7 |
---|---|---|---|
Milestone: | 4.4 | Priority: | normal |
Severity: | normal | Version: | 3.0 |
Component: | Networks and Sites | Keywords: | needs-patch good-first-bug |
Focuses: | administration, multisite | Cc: |
Description
When creating a new site on wp-admin/network/site-new.php
, there is a text which says that the new site's path (on subdirectory installs) or subdomain (on subdomain installs) may only contain lowercase letters and numbers.
However, the regex expression, which checks if the path/domain entered by the user is valid, also allows dashes (-) in the path/domain.
You can see this in line 41 of wp-admin/network/site-new.php
:
if ( preg_match( '|^([a-zA-Z0-9-])+$|', $blog['domain'] ) )
This causes another problem:
In subdirectory installs, it is possible to create subsites with wp-content
, wp-includes
or wp-admin
as path. These subsites then conflict with the corresponding folders of the main site.
Attachments (2)
Change History (13)
#1
@
9 years ago
- Component changed from General to Networks and Sites
- Focuses multisite added
- Version changed from 4.3 to 3.0
#3
@
9 years ago
To prevent this, you can add such names to the blacklist so that no site with that name can be created.
#4
@
9 years ago
- Focuses administration added
- Keywords needs-patch added
- Milestone changed from Awaiting Review to 4.4
- Owner set to chriscct7
- Status changed from new to assigned
This issue can be easily avoided, at minimal effort but just running a preg_match on WordPress directory names.
#5
@
9 years ago
- Keywords good-first-bug added
This would make for a good first bug patch from a new contributor as well
#6
follow-up:
↓ 8
@
9 years ago
There is already a blacklist for subdirectories. Let's add the folder names there.
#7
@
9 years ago
I'm not sure if the REST API is going into core in 4.4 or not, but would it be worth also adding wp-json
to this blacklist for when it does?
#8
in reply to:
↑ 6
@
9 years ago
Replying to austinginder:
There is already a blacklist for subdirectories. Let's add the folder names there.
Thanks for the patch! There's another instance of that filter in wp-includes/ms-functions.php
, which should be patched as well.
Related: #23478