WordPress.org

Make WordPress Core

Changes between Initial Version and Version 2 of Ticket #51368


Ignore:
Timestamp:
09/21/2020 09:34:35 PM (13 months ago)
Author:
SergeyBiryukov
Comment:

Replying to zieladam:

It was introduced 16 years ago when the function was first created, and even then there was no clear explanation why is it even being checked: [2019].

Just noting the ':' === substr( $file, 1, 1 ) check itself is even older and comes from b2/cafelog: https://core.trac.wordpress.org/browser/trunk/b2template.php?rev=3&marks=79-80#L68

That is the line that ended up in validate_file() after being moved around quite a few times.

Looking at the "Sorry, can't call files with their real path" message, it was probably added as some sort of a security precaution, though perhaps no longer relevant.

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #51368 – Description

    initial v2  
    33https://github.com/WordPress/wordpress-develop/blob/b984a64c987ae259109bcb08776b1ed22f1dc98f/src/wp-includes/functions.php#L5373-L5376
    44
    5 It checks whether or not the path is a Windows drive path. Why is this logic needed? It doesn't seem to play any role or even make sense - why allow arbitrary unix paths, but not windows paths? It was introduced 16 years ago when the function was first created, and even then there was no clear explanation why is it even being checked: https://core.trac.wordpress.org/changeset/2019.
     5It checks whether or not the path is a Windows drive path. Why is this logic needed? It doesn't seem to play any role or even make sense - why allow arbitrary unix paths, but not windows paths? It was introduced 16 years ago when the function was first created, and even then there was no clear explanation why is it even being checked: [2019].