WordPress.org

Make WordPress Core

Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#33615 closed defect (bug) (fixed)

Multisite: It is possible to create sites with wp-content, wp-admin or wp-includes as path

Reported by: thomaswm Owned by: chriscct7
Milestone: 4.4 Priority: normal
Severity: normal Version: 3.0
Component: Networks and Sites Keywords: needs-patch good-first-bug
Focuses: administration, multisite Cc:

Description

When creating a new site on wp-admin/network/site-new.php, there is a text which says that the new site's path (on subdirectory installs) or subdomain (on subdomain installs) may only contain lowercase letters and numbers.

However, the regex expression, which checks if the path/domain entered by the user is valid, also allows dashes (-) in the path/domain.

You can see this in line 41 of wp-admin/network/site-new.php:

	if ( preg_match( '|^([a-zA-Z0-9-])+$|', $blog['domain'] ) )

This causes another problem:
In subdirectory installs, it is possible to create subsites with wp-content, wp-includes or wp-admin as path. These subsites then conflict with the corresponding folders of the main site.

Attachments (2)

33615-directory-fix.patch (1.0 KB) - added by austinginder 4 years ago.
33615-directory-fix-v2.patch (1.6 KB) - added by austinginder 4 years ago.

Download all attachments as: .zip

Change History (13)

#1 @johnbillion
4 years ago

  • Component changed from General to Networks and Sites
  • Focuses multisite added
  • Version changed from 4.3 to 3.0

#3 @swissspidy
4 years ago

To prevent this, you can add such names to the blacklist so that no site with that name can be created.

#4 @chriscct7
4 years ago

  • Focuses administration added
  • Keywords needs-patch added
  • Milestone changed from Awaiting Review to 4.4
  • Owner set to chriscct7
  • Status changed from new to assigned

This issue can be easily avoided, at minimal effort but just running a preg_match on WordPress directory names.

#5 @chriscct7
4 years ago

  • Keywords good-first-bug added

This would make for a good first bug patch from a new contributor as well

#6 follow-up: @austinginder
4 years ago

There is already a blacklist for subdirectories. Let's add the folder names there.

#7 @enshrined
4 years ago

I'm not sure if the REST API is going into core in 4.4 or not, but would it be worth also adding wp-json to this blacklist for when it does?

#8 in reply to: ↑ 6 @SergeyBiryukov
4 years ago

Replying to austinginder:

There is already a blacklist for subdirectories. Let's add the folder names there.

Thanks for the patch! There's another instance of that filter in wp-includes/ms-functions.php, which should be patched as well.

#9 @wonderboymusic
4 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 33952:

Multisite: Don't allow sites to be created with the following reserved slugs: wp-admin, wp-content, wp-includes

Props austinginder.
Fixes #33615.

#10 @DrewAPicture
4 years ago

In 34235:

Docs: Add a changelog entry for the addition of 'wp-admin', 'wp-content', and 'wp-includes' as reserved names for the subdirectory_reserved_names filter docs.

The new names were introduced in [33952].

See #33615. See #32246.

#11 @DrewAPicture
4 years ago

In 34854:

Multisite: Introduce get_subdirectory_reserved_names(), which returns a filterable list of reserved subdirectory site names.

The function encapsulates the existing subdirectory_reserved_names filter and reduces the maintenance burden of keeping the value of (currently) two instances of the same hook in sync.

See #33615.

Note: See TracTickets for help on using tickets.