Make WordPress Core

Opened 10 years ago

Closed 10 years ago

Last modified 10 years ago

#33615 closed defect (bug) (fixed)

Multisite: It is possible to create sites with wp-content, wp-admin or wp-includes as path

Reported by: thomaswm's profile thomaswm Owned by: chriscct7's profile chriscct7
Milestone: 4.4 Priority: normal
Severity: normal Version: 3.0
Component: Networks and Sites Keywords: needs-patch good-first-bug
Focuses: administration, multisite Cc:

Description

When creating a new site on wp-admin/network/site-new.php, there is a text which says that the new site's path (on subdirectory installs) or subdomain (on subdomain installs) may only contain lowercase letters and numbers.

However, the regex expression, which checks if the path/domain entered by the user is valid, also allows dashes (-) in the path/domain.

You can see this in line 41 of wp-admin/network/site-new.php:

	if ( preg_match( '|^([a-zA-Z0-9-])+$|', $blog['domain'] ) )

This causes another problem:
In subdirectory installs, it is possible to create subsites with wp-content, wp-includes or wp-admin as path. These subsites then conflict with the corresponding folders of the main site.

Attachments (2)

33615-directory-fix.patch (1.0 KB) - added by austinginder 10 years ago.
33615-directory-fix-v2.patch (1.6 KB) - added by austinginder 10 years ago.

Download all attachments as: .zip

Change History (13)

#1 @johnbillion
10 years ago

  • Component changed from General to Networks and Sites
  • Focuses multisite added
  • Version changed from 4.3 to 3.0

#3 @swissspidy
10 years ago

To prevent this, you can add such names to the blacklist so that no site with that name can be created.

#4 @chriscct7
10 years ago

  • Focuses administration added
  • Keywords needs-patch added
  • Milestone changed from Awaiting Review to 4.4
  • Owner set to chriscct7
  • Status changed from new to assigned

This issue can be easily avoided, at minimal effort but just running a preg_match on WordPress directory names.

#5 @chriscct7
10 years ago

  • Keywords good-first-bug added

This would make for a good first bug patch from a new contributor as well

#6 follow-up: @austinginder
10 years ago

There is already a blacklist for subdirectories. Let's add the folder names there.

#7 @enshrined
10 years ago

I'm not sure if the REST API is going into core in 4.4 or not, but would it be worth also adding wp-json to this blacklist for when it does?

#8 in reply to: ↑ 6 @SergeyBiryukov
10 years ago

Replying to austinginder:

There is already a blacklist for subdirectories. Let's add the folder names there.

Thanks for the patch! There's another instance of that filter in wp-includes/ms-functions.php, which should be patched as well.

#9 @wonderboymusic
10 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 33952:

Multisite: Don't allow sites to be created with the following reserved slugs: wp-admin, wp-content, wp-includes

Props austinginder.
Fixes #33615.

#10 @DrewAPicture
10 years ago

In 34235:

Docs: Add a changelog entry for the addition of 'wp-admin', 'wp-content', and 'wp-includes' as reserved names for the subdirectory_reserved_names filter docs.

The new names were introduced in [33952].

See #33615. See #32246.

#11 @DrewAPicture
10 years ago

In 34854:

Multisite: Introduce get_subdirectory_reserved_names(), which returns a filterable list of reserved subdirectory site names.

The function encapsulates the existing subdirectory_reserved_names filter and reduces the maintenance burden of keeping the value of (currently) two instances of the same hook in sync.

See #33615.

Note: See TracTickets for help on using tickets.