[wp-trac] [WordPress Trac] #42016: Validation of filenames (pre unzipping) causes unexpected failures
WordPress Trac
noreply at wordpress.org
Wed Sep 27 23:29:59 UTC 2017
#42016: Validation of filenames (pre unzipping) causes unexpected failures
----------------------------+-----------------------------
Reporter: Ipstenu | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Filesystem API | Version: 4.8.2
Severity: normal | Keywords:
Focuses: |
----------------------------+-----------------------------
Related to #41457
I have a theme zip (proprietary themeforest, sorry) that has files like
this:
{{{
1972 09-20-2017 16:17 THEME/tag.php
0 09-20-2017 16:17 THEME/template-parts/
0 09-20-2017 16:17 THEME/template-parts/./
0 09-20-2017 16:17 THEME/template-parts/../
0 09-20-2017 16:17 THEME/template-parts/archive/
0 09-20-2017 16:17 THEME/template-parts/archive/./
0 09-20-2017 16:17 THEME/template-parts/archive/../
}}}
When I try to install the theme, it throws an error:
{{{
Unpacking the package…
Could not extract file from archive. THEME/./
}}}
It appears that [https://core.trac.wordpress.org/changeset/41457/trunk/src
/wp-admin/includes/file.php this change] is seeing those and failing,
where as if you force the file to pclzip it works fine.
Should we not just silent discard the /./ and /../ files instead of
failing? That would prevent PHPzip from doing stupid things, and allow
uploads when people build clever zips.
Given the theme is a purchase from a customer, I'm reluctant to share it
publicly.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/42016>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list