[wp-trac] [WordPress Trac] #42016: Validation of filenames (while unzipping) causes unexpected failures
WordPress Trac
noreply at wordpress.org
Wed Oct 11 15:26:02 UTC 2017
#42016: Validation of filenames (while unzipping) causes unexpected failures
----------------------------+--------------------
Reporter: Ipstenu | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 4.8.3
Component: Filesystem API | Version: 4.8.2
Severity: normal | Resolution:
Keywords: needs-patch | Focuses:
----------------------------+--------------------
Comment (by DavidAnderson):
I've just added a patch which changes the dots check as follows:
* Removes the check for `./` . This is completely harmless (means "current
directory"). You cannot perform directory traversal with it.
* Replaces the check for `..` with a more sophisticated check for a `../`
which occurs anywhere other than the end of the line.
This patch should fix both @Ipstenu 's reported issue (a single ../ at the
end of the path is not harmful; at the worst (if it is the only thing
present in the path) it would indicate the unzip folder's parent
directory, which necessarily already exists) and mine (the unnecessary
forbidding of any `..` sequence anywhere), whilst still maintaining the
intended protection of prevent directory traversal via `../`.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/42016#comment:8>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list