Make WordPress Core

Opened 2 weeks ago

Last modified 13 days ago

#62434 reopened defect (bug)

Missing Escaping functionality for async-upload.php Some Variable

Reported by: shyamkariya's profile shyamkariya Owned by: sergeybiryukov's profile SergeyBiryukov
Milestone: 6.7.2 Priority: normal
Severity: normal Version: 6.6
Component: Upload Keywords: has-patch fixed-major
Focuses: administration, coding-standards Cc:

Description

Missing Escaping functionality async-upload.php file... missing Escaping functionality is $file_url.

File Location:- ...\wp-admin\async-upload.php file line number 77.

I have shared the screenshot below...

Attachments (2)

variable-missing.png (79.0 KB) - added by shyamkariya 2 weeks ago.
62434.patch (806 bytes) - added by pitamdey 2 weeks ago.
Patch for this issue

Download all attachments as: .zip

Change History (9)

@pitamdey
2 weeks ago

Patch for this issue

#1 @nareshbheda
2 weeks ago

  • Keywords has-patch added

#2 @ketanniruke
2 weeks ago

Declare this $file_url = esc_url($file_url); and check. It will work

This ticket was mentioned in Slack in #core by desrosj. View the logs.


2 weeks ago

#4 @desrosj
2 weeks ago

  • Milestone changed from Awaiting Review to 6.7.2

Introduced in 6.6 through [58279].

#5 @SergeyBiryukov
2 weeks ago

  • Owner set to SergeyBiryukov
  • Resolution set to fixed
  • Status changed from new to closed

In 59407:

Coding Standards: Escape attachment URL in wp-admin/async-upload.php.

Follow-up to [58279].

Props shyamkariya, pitamdey, nareshbheda, ketanniruke, desrosj.
Fixes #62434.

#6 @SergeyBiryukov
2 weeks ago

  • Keywords fixed-major added
  • Resolution fixed deleted
  • Status changed from closed to reopened

Thanks for the ticket! Reopening for 6.7.x consideration.

#7 @desrosj
13 days ago

  • Version changed from 6.7 to 6.6
Note: See TracTickets for help on using tickets.