Opened 4 months ago
Last modified 3 months ago
#58905 new defect (bug)
Ensure locate_template only loads theme files
Reported by: |
|
Owned by: | |
---|---|---|---|
Milestone: | 6.5 | Priority: | normal |
Severity: | normal | Version: | |
Component: | Themes | Keywords: | has-patch early needs-unit-tests |
Focuses: | Cc: |
Description
It's possible to have locate_template load files that are not template files which could be unexpected behavior that breaks the display of a page.
The chance this breaks something is, I think, not infinitesimal. Therefore, this should go in early.
An initial patch is attached.
Attachments (1)
Change History (6)
This ticket was mentioned in PR #5076 on WordPress/wordpress-develop by @pypwalters.
3 months ago
#3
- Keywords needs-refresh removed
Uses validate_file
to ensure that the paths processed by locate_template
are not directory traversals, Windows drive paths, etc...
Trac ticket:
https://core.trac.wordpress.org/ticket/58905
#4
@
3 months ago
Option added that uses validate_file(). I removed the unit tests because the result was always coming up empty. I believe I am running into some complications because of the use of STYLESHEETPATH and TEMPLATEPATH in the locate_template function. Is it possible that these are not available to phpunit?
Thanks @jorbin. The use of
realpath()
in this diff can have a measurable negative performance impact. Given that this function has assumed that the template names were being concatenated directly with the various constants previously, I wonder if we could usevalidate_file()
instead here and avoid the multiple calls torealpath()
?