[wp-trac] [WordPress Trac] #15086: get_template_part() should let you specify a directory
WordPress Trac
noreply at wordpress.org
Wed Sep 23 23:41:51 UTC 2015
#15086: get_template_part() should let you specify a directory
-------------------------------------------------+-------------------------
Reporter: aaroncampbell | Owner: westi
Type: enhancement | Status: accepted
Priority: normal | Milestone: Future
Component: Themes | Release
Severity: normal | Version: 3.0
Keywords: has-patch westi-likes needs-unit- | Resolution:
tests 2nd-opinion | Focuses:
-------------------------------------------------+-------------------------
Comment (by mattoperry):
I'm specifically interested in the part of this thread that concerns
directory traversal ... though Nacin mentions that some themes use
`get_template_part` to traverse directories, this strikes me as a clear
misuse of this function, and indeed a potential vulnerability. Any
interest in at least applying `validate_file` or the like before
`get_template_part` loads a template? Otherwise we'll have to require it
to be called before `get_template_part` anyway in the case of any
not-100%-trusted arguments to that function .. which would kind of bite.
I'm pretty agnostic on the other issues in this thread, but preventing
inclusion from outside the current theme seems important.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/15086#comment:63>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list