[wp-trac] [WordPress Trac] #42016: Validation of filenames (while unzipping) causes unexpected failures
WordPress Trac
noreply at wordpress.org
Wed Oct 4 21:03:47 UTC 2017
#42016: Validation of filenames (while unzipping) causes unexpected failures
----------------------------+--------------------
Reporter: Ipstenu | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 4.8.3
Component: Filesystem API | Version: 4.8.2
Severity: normal | Resolution:
Keywords: needs-patch | Focuses:
----------------------------+--------------------
Comment (by Ipstenu):
In theory `./` and `../` and `..\` and `.\` can all be 'skipped' and not
processed (i.e don't expand it, don't try to save it, just log the error).
While they ''may'' cause issues, we can use an alert similar to what we do
when we have a headers alert when you activate a plugin that dumps a bunch
of stuff.
"Unexpected zip output. If you experience issues with your [theme|plugin]
please contact the developer directly, as their zip may have been
improperly packaged."
As for the 'real' use of filename..jpg I'm on the fence here. It's legit,
but if we can't sanely trap it, then we should also be discarding them
with the same alert.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/42016#comment:5>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list