WordPress-C/WordPress
1
0
Fork 0
mirror of https://github.com/WordPress/WordPress.git synced 2025-03-06 13:29:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

Media: Limit thumbnail file deletions to the same directory as the original file.

Browse Source 
Merges [43393] into the 3.9 branch.

Built from https://develop.svn.wordpress.org/branches/3.9@43403


git-svn-id: http://core.svn.wordpress.org/branches/3.9@43231 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
John Blackbourn 2018-07-05 15:14:12 +00:00
parent b5bae28a24
commit 309d82f2bc
2 changed files with 106 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
wp-includes/functions.php
View File

@ -1495,18 +1495,38 @@ function path_join( $base, $path ) {
/** /**
* Normalize a filesystem path. * Normalize a filesystem path.
* *
* Replaces backslashes with forward slashes for Windows systems, * On windows systems, replaces backslashes with forward slashes
* and ensures no duplicate slashes exist. * and forces upper-case drive letters.
* Allows for two leading slashes for Windows network shares, but
* ensures that all other duplicate slashes are reduced to a single.
* *
* @since 3.9.0 * @since 3.9.0
* @since 4.4.0 Ensures upper-case drive letters on Windows systems.
* @since 4.5.0 Allows for Windows network shares.
* @since 4.9.7 Allows for PHP file wrappers.
* *
* @param string $path Path to normalize. * @param string $path Path to normalize.
* @return string Normalized path. * @return string Normalized path.
*/ */
function wp_normalize_path( $path ) { function wp_normalize_path( $path ) {
$wrapper = '';
if ( wp_is_stream( $path ) ) {
list( $wrapper, $path ) = explode( '://', $path, 2 );
$wrapper .= '://';
}
// Standardise all paths to use /
$path = str_replace( '\\', '/', $path ); $path = str_replace( '\\', '/', $path );
$path = preg_replace( '|/+|','/', $path );
return $path; // Replace multiple slashes down to a singular, allowing for network shares having two slashes.
$path = preg_replace( '|(?<=.)/+|', '/', $path );
// Windows paths should uppercase the drive letter
if ( ':' === substr( $path, 1, 1 ) ) {
$path = ucfirst( $path );
}
return $wrapper . $path;
} }
/** /**
@ -4490,3 +4510,29 @@ function mbstring_binary_safe_encoding( $reset = false ) {
function reset_mbstring_encoding() { function reset_mbstring_encoding() {
mbstring_binary_safe_encoding( true ); mbstring_binary_safe_encoding( true );
} }
/**
* Deletes a file if its path is within the given directory.
*
* @since 4.9.7
*
* @param string $file Absolute path to the file to delete.
* @param string $directory Absolute path to a directory.
* @return bool True on success, false on failure.
*/
function wp_delete_file_from_directory( $file, $directory ) {
$real_file = realpath( wp_normalize_path( $file ) );
$real_directory = realpath( wp_normalize_path( $directory ) );
if ( false === $real_file || false === $real_directory || strpos( wp_normalize_path( $real_file ), trailingslashit( wp_normalize_path( $real_directory ) ) ) !== 0 ) {
return false;
}
/** This filter is documented in wp-admin/custom-header.php */
$delete = apply_filters( 'wp_delete_file', $file );
if ( ! empty( $delete ) ) {
@unlink( $delete );
}
return true;
}

82
wp-includes/post.php
View File

@ -4637,12 +4637,6 @@ function wp_delete_attachment( $post_id, $force_delete = false ) {
$backup_sizes = get_post_meta( $post->ID, '_wp_attachment_backup_sizes', true ); $backup_sizes = get_post_meta( $post->ID, '_wp_attachment_backup_sizes', true );
$file = get_attached_file( $post_id ); $file = get_attached_file( $post_id );
$intermediate_sizes = array();
foreach ( get_intermediate_image_sizes() as $size ) {
if ( $intermediate = image_get_intermediate_size( $post_id, $size ) )
$intermediate_sizes[] = $intermediate;
}
if ( is_multisite() ) if ( is_multisite() )
delete_transient( 'dirsize_cache' ); delete_transient( 'dirsize_cache' );
@ -4677,43 +4671,79 @@ function wp_delete_attachment( $post_id, $force_delete = false ) {
/** This action is documented in wp-includes/post.php */ /** This action is documented in wp-includes/post.php */
do_action( 'deleted_post', $post_id ); do_action( 'deleted_post', $post_id );
wp_delete_attachment_files( $post_id, $meta, $backup_sizes, $file );
clean_post_cache( $post );
return $post;
}
/**
* Deletes all files that belong to the given attachment.
*
* @since 4.9.7
*
* @param int $post_id Attachment ID.
* @param array $meta The attachment's meta data.
* @param array $backup_sizes The meta data for the attachment's backup images.
* @param string $file Absolute path to the attachment's file.
* @return bool True on success, false on failure.
*/
function wp_delete_attachment_files( $post_id, $meta, $backup_sizes, $file ) {
global $wpdb;
$uploadpath = wp_upload_dir(); $uploadpath = wp_upload_dir();
$deleted = true;
if ( ! empty($meta['thumb']) ) { if ( ! empty($meta['thumb']) ) {
// Don't delete the thumb if another attachment uses it // Don't delete the thumb if another attachment uses it
if (! $wpdb->get_row( $wpdb->prepare( "SELECT meta_id FROM $wpdb->postmeta WHERE meta_key = '_wp_attachment_metadata' AND meta_value LIKE %s AND post_id <> %d", '%' . $meta['thumb'] . '%', $post_id)) ) { if (! $wpdb->get_row( $wpdb->prepare( "SELECT meta_id FROM $wpdb->postmeta WHERE meta_key = '_wp_attachment_metadata' AND meta_value LIKE %s AND post_id <> %d", '%' . $meta['thumb'] . '%', $post_id)) ) {
$thumbfile = str_replace(basename($file), $meta['thumb'], $file); $thumbfile = str_replace(basename($file), $meta['thumb'], $file);
/** This filter is documented in wp-admin/custom-header.php */ if ( ! empty( $thumbfile ) ) {
$thumbfile = apply_filters( 'wp_delete_file', $thumbfile ); $thumbfile = path_join( $uploadpath['basedir'], $thumbfile );
@ unlink( path_join($uploadpath['basedir'], $thumbfile) ); $thumbdir = path_join( $uploadpath['basedir'], dirname( $file ) );
if ( ! wp_delete_file_from_directory( $thumbfile, $thumbdir ) ) {
$deleted = false;
}
}
} }
} }
// remove intermediate and backup images if there are any // remove intermediate and backup images if there are any
foreach ( $intermediate_sizes as $intermediate ) { if ( isset( $meta['sizes'] ) && is_array( $meta['sizes'] ) ) {
/** This filter is documented in wp-admin/custom-header.php */ $intermediate_dir = path_join( $uploadpath['basedir'], dirname( $file ) );
$intermediate_file = apply_filters( 'wp_delete_file', $intermediate['path'] ); foreach ( $meta['sizes'] as $size => $sizeinfo ) {
@ unlink( path_join($uploadpath['basedir'], $intermediate_file) ); $intermediate_file = str_replace( basename( $file ), $sizeinfo['file'], $file );
} if ( ! empty( $intermediate_file ) ) {
$intermediate_file = path_join( $uploadpath['basedir'], $intermediate_file );
if ( is_array($backup_sizes) ) { if ( ! wp_delete_file_from_directory( $intermediate_file, $intermediate_dir ) ) {
foreach ( $backup_sizes as $size ) { $deleted = false;
$del_file = path_join( dirname($meta['file']), $size['file'] ); }
/** This filter is documented in wp-admin/custom-header.php */ }
$del_file = apply_filters( 'wp_delete_file', $del_file );
@ unlink( path_join($uploadpath['basedir'], $del_file) );
} }
} }
/** This filter is documented in wp-admin/custom-header.php */ if ( is_array($backup_sizes) ) {
$file = apply_filters( 'wp_delete_file', $file ); $del_dir = path_join( $uploadpath['basedir'], dirname( $meta['file'] ) );
foreach ( $backup_sizes as $size ) {
$del_file = path_join( dirname( $meta['file'] ), $size['file'] );
if ( ! empty( $del_file ) ) {
$del_file = path_join( $uploadpath['basedir'], $del_file );
if ( ! empty($file) ) if ( ! wp_delete_file_from_directory( $del_file, $del_dir ) ) {
@ unlink($file); $deleted = false;
}
}
}
}
clean_post_cache( $post ); if ( ! wp_delete_file_from_directory( $file, $uploadpath['basedir'] ) ) {
$deleted = false;
}
return $post; return $deleted;
} }
/** /**