[wp-trac] [WordPress Trac] #42016: Validation of filenames (while unzipping) causes unexpected failures
WordPress Trac
noreply at wordpress.org
Wed Oct 4 21:32:16 UTC 2017
#42016: Validation of filenames (while unzipping) causes unexpected failures
----------------------------+--------------------
Reporter: Ipstenu | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 4.8.3
Component: Filesystem API | Version: 4.8.2
Severity: normal | Resolution:
Keywords: needs-patch | Focuses:
----------------------------+--------------------
Comment (by DavidAnderson):
> As for the 'real' use of filename..jpg I'm on the fence here. It's
legit, but if we can't sanely trap it, then we should also be discarding
them with the same alert.
I just ran some tests on a shared hosting server that's currently hosting
188 widely varying (in content and ownership) WP sites. 12 of them (i.e.
6.3%) contain this pattern somewhere in wp-content/uploads (searching for
..jpg, ..jpeg, ..gif, ..png, ..pdf). The number of sites with files
matching this pattern is likely huge.
There's no danger posed by two consecutive periods that aren't followed by
a slash. If WP core decides to handle it as potentially dangerous, I think
it at least needs a filter so that plugins can trap it if they want to (so
that they can at least get the pre-4.8.2 behaviour). Though, I'd strongly
propose only trapping when it's followed by a slash, so that every plugin
author who handles unzipping doesn't have to learn about it the hard way.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/42016#comment:6>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list