Make WordPress Core

Opened 4 months ago

Last modified 3 months ago

#58905 new defect (bug)

Ensure locate_template only loads theme files

Reported by: jorbin's profile jorbin Owned by:
Milestone: 6.5 Priority: normal
Severity: normal Version:
Component: Themes Keywords: has-patch early needs-unit-tests
Focuses: Cc:


It's possible to have locate_template load files that are not template files which could be unexpected behavior that breaks the display of a page.

The chance this breaks something is, I think, not infinitesimal. Therefore, this should go in early.

An initial patch is attached.

Attachments (1)

58905.diff (2.1 KB) - added by jorbin 4 months ago.

Download all attachments as: .zip

Change History (6)

4 months ago

#1 @joemcgill
4 months ago

Thanks @jorbin. The use of realpath() in this diff can have a measurable negative performance impact. Given that this function has assumed that the template names were being concatenated directly with the various constants previously, I wonder if we could use validate_file() instead here and avoid the multiple calls to realpath()?

#2 @JeffPaul
3 months ago

  • Keywords needs-refresh needs-unit-tests added

This ticket was mentioned in PR #5076 on WordPress/wordpress-develop by @pypwalters.

3 months ago

  • Keywords needs-refresh removed

Uses validate_file to ensure that the paths processed by locate_template are not directory traversals, Windows drive paths, etc...

Trac ticket:

#4 @pypwalters
3 months ago

Option added that uses validate_file(). I removed the unit tests because the result was always coming up empty. I believe I am running into some complications because of the use of STYLESHEETPATH and TEMPLATEPATH in the locate_template function. Is it possible that these are not available to phpunit?

#5 @oglekler
3 months ago

  • Milestone changed from 6.4 to 6.5

Because this is an early ticket, I am moving it into the 6.5 milestone.

Note: See TracTickets for help on using tickets.