Filesystem API: Add more specificity to the rules for valid files in `validate_file()`.

This now treats files containing `./` as valid, and also treats files containing a trailing `../` as valid due to widespread use of this pattern in theme and plugin zip files.

Adds tests.

Props Ipstenu, borgesbruno, DavidAnderson, philipjohn, birgire
Fixes #42016, #36170

Built from https://develop.svn.wordpress.org/trunk@42011


git-svn-id: http://core.svn.wordpress.org/trunk@41845 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
John Blackbourn 2017-10-24 23:15:49 +00:00
parent 16cfe96580
commit 2f3e91028a
3 changed files with 16 additions and 5 deletions

View File

@ -663,7 +663,7 @@ function wp_tempnam( $filename = '', $dir = '' ) {
* @param array $allowed_files Optional. Array of allowed files to edit, $file must match an entry exactly. * @param array $allowed_files Optional. Array of allowed files to edit, $file must match an entry exactly.
* @return string|null * @return string|null
*/ */
function validate_file_to_edit( $file, $allowed_files = '' ) { function validate_file_to_edit( $file, $allowed_files = array() ) {
$code = validate_file( $file, $allowed_files ); $code = validate_file( $file, $allowed_files );
if (!$code ) if (!$code )

View File

@ -4252,16 +4252,27 @@ function iis7_supports_permalinks() {
* @param array $allowed_files Optional. List of allowed files. * @param array $allowed_files Optional. List of allowed files.
* @return int 0 means nothing is wrong, greater than 0 means something was wrong. * @return int 0 means nothing is wrong, greater than 0 means something was wrong.
*/ */
function validate_file( $file, $allowed_files = '' ) { function validate_file( $file, $allowed_files = array() ) {
if ( false !== strpos( $file, '..' ) ) // `../` on its own is not allowed:
if ( '../' === $file ) {
return 1; return 1;
}
if ( false !== strpos( $file, './' ) ) // More than one occurence of `../` is not allowed:
if ( preg_match_all( '#\.\./#', $file, $matches, PREG_SET_ORDER ) && ( count( $matches ) > 1 ) ) {
return 1; return 1;
}
// `../` which does not occur at the end of the path is not allowed:
if ( false !== strpos( $file, '../' ) && '../' !== mb_substr( $file, -3, 3 ) ) {
return 1;
}
// Files not in the allowed file list are not allowed:
if ( ! empty( $allowed_files ) && ! in_array( $file, $allowed_files ) ) if ( ! empty( $allowed_files ) && ! in_array( $file, $allowed_files ) )
return 3; return 3;
// Absolute Windows drive paths are not allowed:
if (':' == substr( $file, 1, 1 ) ) if (':' == substr( $file, 1, 1 ) )
return 2; return 2;

View File

@ -4,7 +4,7 @@
* *
* @global string $wp_version * @global string $wp_version
*/ */
$wp_version = '4.9-beta3-42010'; $wp_version = '4.9-beta3-42011';
/** /**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema. * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.