From 2f3e91028aa470139120380c3bae713482eeb06d Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Tue, 24 Oct 2017 23:15:49 +0000 Subject: [PATCH] Filesystem API: Add more specificity to the rules for valid files in `validate_file()`. This now treats files containing `./` as valid, and also treats files containing a trailing `../` as valid due to widespread use of this pattern in theme and plugin zip files. Adds tests. Props Ipstenu, borgesbruno, DavidAnderson, philipjohn, birgire Fixes #42016, #36170 Built from https://develop.svn.wordpress.org/trunk@42011 git-svn-id: http://core.svn.wordpress.org/trunk@41845 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-admin/includes/file.php | 2 +- wp-includes/functions.php | 17 ++++++++++++++--- wp-includes/version.php | 2 +- 3 files changed, 16 insertions(+), 5 deletions(-) diff --git a/wp-admin/includes/file.php b/wp-admin/includes/file.php index 416433e5a5..a834e5e161 100644 --- a/wp-admin/includes/file.php +++ b/wp-admin/includes/file.php @@ -663,7 +663,7 @@ function wp_tempnam( $filename = '', $dir = '' ) { * @param array $allowed_files Optional. Array of allowed files to edit, $file must match an entry exactly. * @return string|null */ -function validate_file_to_edit( $file, $allowed_files = '' ) { +function validate_file_to_edit( $file, $allowed_files = array() ) { $code = validate_file( $file, $allowed_files ); if (!$code ) diff --git a/wp-includes/functions.php b/wp-includes/functions.php index a9c53d31e4..b5d21285b6 100644 --- a/wp-includes/functions.php +++ b/wp-includes/functions.php @@ -4252,16 +4252,27 @@ function iis7_supports_permalinks() { * @param array $allowed_files Optional. List of allowed files. * @return int 0 means nothing is wrong, greater than 0 means something was wrong. */ -function validate_file( $file, $allowed_files = '' ) { - if ( false !== strpos( $file, '..' ) ) +function validate_file( $file, $allowed_files = array() ) { + // `../` on its own is not allowed: + if ( '../' === $file ) { return 1; + } - if ( false !== strpos( $file, './' ) ) + // More than one occurence of `../` is not allowed: + if ( preg_match_all( '#\.\./#', $file, $matches, PREG_SET_ORDER ) && ( count( $matches ) > 1 ) ) { return 1; + } + // `../` which does not occur at the end of the path is not allowed: + if ( false !== strpos( $file, '../' ) && '../' !== mb_substr( $file, -3, 3 ) ) { + return 1; + } + + // Files not in the allowed file list are not allowed: if ( ! empty( $allowed_files ) && ! in_array( $file, $allowed_files ) ) return 3; + // Absolute Windows drive paths are not allowed: if (':' == substr( $file, 1, 1 ) ) return 2; diff --git a/wp-includes/version.php b/wp-includes/version.php index b8b08e48d2..80b979c518 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -4,7 +4,7 @@ * * @global string $wp_version */ -$wp_version = '4.9-beta3-42010'; +$wp_version = '4.9-beta3-42011'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.