Make WordPress Core

Opened 7 years ago

Last modified 6 years ago

#41901 assigned defect (bug)

Updating fails for themes with style.css in sub directory.

Reported by: inc2734's profile inc2734 Owned by: williampatton's profile williampatton
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Themes Keywords: dev-feedback
Focuses: Cc:

Description

https://github.com/WordPress/WordPress/blob/4.8-branch/wp-includes/theme.php#L466-L513
I saw this part and decided to put style.css in /themes/my-theme/subdir/

And in fact it worked. But, there was one problem. That's about updating the theme. ( I update this theme from GitHub instead of WP.org. )

In /wp-admin/update-core.php, Updating is success. At this time in site_transient_update_themes, There was a value of my-theme/subdir as a slug.

In /wp-admin/themes.php, Updating is failed. An error message was displayed The theme is at the latest version.. At that time, the response of ajax was as follows.

{
  "success":false,
  "data": {
    "update":"theme",
    "slug":"my-themesubdir",
    ....
}

That is, the slash has disappeared. When I looked it up, it was wp_unslash() when updating here.

I think that it is better to unify processing for slashes on either page.

Attachments (2)

patch-41901.diff (504 bytes) - added by inc2734 7 years ago.
patch-41901.2.diff (805 bytes) - added by inc2734 7 years ago.

Download all attachments as: .zip

Change History (6)

@inc2734
7 years ago

#1 @joyously
6 years ago

  • Keywords dev-feedback added

Wouldn't removing wp_unslash expose that code to directory traversal problems?

#2 @williampatton
6 years ago

  • Owner set to williampatton
  • Status changed from new to assigned

We really only expect the style.css file to be directly in the root of the theme directory, when it's somewhere else unexpected things happen.

We probably need to look at the code that passes in this value and have that not scan directories to discover themes with a style.css that is placed in an unusual location.

#3 follow-up: @inc2734
6 years ago

@joyously Excuse me, I am not familiar with it.

@williampatton I think that way, but putting style.css in a subdirectory is actually recognized, and works in /wp-admin/update-core.php, so the operation is not uniform I think that is the problem.

#4 in reply to: ↑ 3 @williampatton
6 years ago

Yeah I agree and will be looking to make all operations related to this work in a uniform way. Thank you for reporting it and highlighting the areas you seen it behave strangely.

Replying to inc2734:

@joyously Excuse me, I am not familiar with it.

@williampatton I think that way, but putting style.css in a subdirectory is actually recognized, and works in /wp-admin/update-core.php, so the operation is not uniform I think that is the problem.

Note: See TracTickets for help on using tickets.