Bug in plugin upload

[offensive]

bug in wordpress version 5.3.2

how to exploit:

1. download wordpress and run into localhost.
2. trying to upload plugin than they are showing here only upload .zip file.
3. but we are trying to upload .php shell file.
4. now see file is upload successfully in database.

[mukesh27]

Hi @offensive,

Welcome to WordPress Trac! Thanks for the ticket.

When I try to upload PHP file in plugin upload it shows me below error and uploaded file is move-in upload directory.

Installing Plugin from uploaded file: code.php
Unpacking the package…

The package could not be installed. PCLZIP_ERR_BAD_FORMAT (-10) : Unable to find End of Central Dir Record signature

Before moving the file in the upload folder system need to check it uploaded file has valid format than and then move the file in the upload directory

[roytanck]

Just did a quick test using Local by Flywheel. I got the same error as @mukesh27, and the plugin file was not present in my /wp-content/plugins folder.

The file was available under /wp-content/uploads/2020/03 .

[callumbw95]

Hi All,
This doesn't appear to be an issue in the latest releases, and you cannot upload a single php file now. There is validation on the file upload input to only accept .zip files. However if you avoid that, and upload a php file regardless there is validation server side to stop the file from being read or stored within the site.
As of such I believe this ticket no longer applies to the current state of WordPress and can be closed.

[mindctrl]

Error message demonstrating that non-zip files are not allowed.

[mindctrl]

Hi all, I've confirmed this is no longer an issue in the latest version of WP. As such, I'm going to close this ticket to help clean up Trac. If you think this is still a problem and can provide instructions on how to reproduce, please feel free to reopen.

[peterwilsoncc]

This was resolved in r57388 so I've changed the status to fixed, see ​https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-x79f-xrjv-jx5r