Make WordPress Core

#57516 closed defect (bug) (fixed)

WP_Filesystem_*::dirlist() may create invalid path

Reported by: afragen's profile afragen Owned by:
Milestone: 6.2 Priority: normal
Severity: normal Version: 2.5
Component: Filesystem API Keywords: has-patch
Focuses: Cc:

Description

WP_Filesystem_*::dirlist() creates a nested array of files and subdirectories. If the directory path sent to the function contains a trailing slash, the recursion in the function will send something like path_to_directroy//subdirectory this may emit a PHP Warning though this doesn't seem to effect the results.

This is because line 650 of the function,

$struc['files'] = $this->dirlist( $path . '/' . $struc['name'], $include_hidden, $recursive );

should probably be

$struc['files'] = $this->dirlist( trailingslashit( $path )  . $struc['name'], $include_hidden, $recursive );

to avoid any possible errors.

Change History (12)

#1 @afragen
14 months ago

This change might need to be made throughout.

This ticket was mentioned in PR #3877 on WordPress/wordpress-develop by @costdev.


14 months ago
#2

  • Keywords has-patch added; needs-patch removed

WP_Filesystem_*::dirlist() uses $path . '/' in several places. For /path/, this will produce /path//.

This PR replaces $path = '/' with trailingslashit( $path ).

Trac ticket: https://core.trac.wordpress.org/ticket/57516

#3 @afragen
14 months ago

  • Keywords needs-patch added; has-patch removed
  • Summary changed from WP_Filesystem_*::dirtiest() may create invalid path to WP_Filesystem_*::dirlist() may create invalid path

#4 @afragen
14 months ago

  • Keywords has-patch added; needs-patch removed

#5 @costdev
14 months ago

  • Version set to 2.5

Introduced in [6779].

@afragen commented on PR #3877:


14 months ago
#6

Looks good.

#7 @costdev
14 months ago

I've submitted PR 3877.

There's an additional benefit for the filesystem classes that by using $path = trailingslashit( $path ) before the while()/foreach() loops, the code is easier to read, and unnecessary concatenation isn't done in every iteration of the loops.

All uses of $path after the PR's $path = trailingslashit( $path ) were previously concatenated, so this doesn't cause any issues later.

Last edited 14 months ago by costdev (previous) (diff)

#8 @mukesh27
14 months ago

  • Milestone changed from Awaiting Review to 6.2

Thanks @costdev for the ticket and PR.

Set 6.2 milestone for visibility.

This ticket was mentioned in Slack in #core by costdev. View the logs.


13 months ago

@azaozz commented on PR #3877:


13 months ago
#10

Using trailingslashit( $path ) instead of $path . '/' makes sense and seems very unlikely to cause any problems.

#12 @azaozz
13 months ago

  • Resolution set to fixed
  • Status changed from new to closed

In [55354]: Filesystem API: Use trailingslashit( $path ) instead of $path . '/'. Fixes a warning when $path already ends with a slash.

Props: costdev, afragen, mukesh27.
Fixes: #57516.

Note: See TracTickets for help on using tickets.