Upload: Fallback to `PclZip` to validate ZIP file uploads.

`ZipArchive` can fail to validate ZIP files correctly and report valid files as invalid. This introduces a fallback to `PclZip` to check validity of files if `ZipArchive` fails them.

This introduces the new function `wp_zip_file_is_valid()` to validate archives.

Follow up to [57388].

Props audunmb, azaozz, britner, cdevroe, colorful-tones, costdev, courane01, endymion00, feastdesignco, halounsbury, jeffpaul, johnbillion, jorbin, jsandtro, karinclimber, kevincoleman, koesper, maartenbelmans, mathewemoore, melcarthus, mujuonly, nerdpressteam, olegfuture, otto42, peterwilsoncc, room34, sayful, schutzsmith, stephencronin, svitlana41319, swissspidy, tnolte, tobiasbg, vikram6, welaunchio.
Fixes #60398.

Built from https://develop.svn.wordpress.org/trunk@57537


git-svn-id: http://core.svn.wordpress.org/trunk@57038 1a063a9b-81f0-0310-95a4-ce76da25c4cd

wp-admin/includes/class-file-upload-upgrader.php

@@ -70,24 +70,7 @@ class File_Upload_Upgrader {
 			}
 
 			if ( 'pluginzip' === $form || 'themezip' === $form ) {
-				$archive_is_valid = false;
-
-				/** This filter is documented in wp-admin/includes/file.php */
-				if ( class_exists( 'ZipArchive', false ) && apply_filters( 'unzip_file_use_ziparchive', true ) ) {
-					$archive          = new ZipArchive();
-					$archive_is_valid = $archive->open( $file['file'], ZIPARCHIVE::CHECKCONS );
-
-					if ( true === $archive_is_valid ) {
-						$archive->close();
-					}
-				} else {
-					require_once ABSPATH . 'wp-admin/includes/class-pclzip.php';
-
-					$archive          = new PclZip( $file['file'] );
-					$archive_is_valid = is_array( $archive->properties() );
-				}
-
-				if ( true !== $archive_is_valid ) {
+				if ( ! wp_zip_file_is_valid( $file['file'] ) ) {
 					wp_delete_file( $file['file'] );
 					wp_die( __( 'Incompatible Archive.' ) );
 				}

wp-admin/includes/file.php

@@ -1563,6 +1563,37 @@ function wp_trusted_keys() {
 	return apply_filters( 'wp_trusted_keys', $trusted_keys );
 }
 
+/**
+ * Determines whether the given file is a valid ZIP file.
+ *
+ * This function does not test to ensure that a file exists. Non-existent files
+ * are not valid ZIPs, so those will also return false.
+ *
+ * @since 6.4.4
+ *
+ * @param string $file Full path to the ZIP file.
+ * @return bool Whether the file is a valid ZIP file.
+ */
+function wp_zip_file_is_valid( $file ) {
+	/** This filter is documented in wp-admin/includes/file.php */
+	if ( class_exists( 'ZipArchive', false ) && apply_filters( 'unzip_file_use_ziparchive', true ) ) {
+		$archive          = new ZipArchive();
+		$archive_is_valid = $archive->open( $file, ZipArchive::CHECKCONS );
+		if ( true === $archive_is_valid ) {
+			$archive->close();
+			return true;
+		}
+	}
+
+	// Fall through to PclZip if ZipArchive is not available, or encountered an error opening the file.
+	require_once ABSPATH . 'wp-admin/includes/class-pclzip.php';
+
+	$archive          = new PclZip( $file );
+	$archive_is_valid = is_array( $archive->properties() );
+
+	return $archive_is_valid;
+}
+
 /**
  * Unzips a specified ZIP file to a location on the filesystem via the WordPress
  * Filesystem Abstraction.

wp-includes/version.php

@@ -16,7 +16,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '6.5-alpha-57536';
+$wp_version = '6.5-alpha-57537';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.