[wp-trac] [WordPress Trac] #42016: Validation of filenames (while unzipping) causes unexpected failures

Thu Sep 28 22:48:23 UTC 2017

#42016: Validation of filenames (while unzipping) causes unexpected failures
----------------------------+--------------------
 Reporter:  Ipstenu         |       Owner:
     Type:  defect (bug)    |      Status:  new
 Priority:  normal          |   Milestone:  4.8.3
Component:  Filesystem API  |     Version:  4.8.2
 Severity:  normal          |  Resolution:
 Keywords:  needs-patch     |     Focuses:
----------------------------+--------------------

Comment (by DavidAnderson):

 To add some more info: In #42046, the problem is that the check is too
 broad. Disallowing anything with `..` in causes ordinary files to cause
 the whole unzip to abort, not just preventing directory-traversal attempts
 (and with no means to use a filter to over-ride it). e.g. `my-image..jpg`
 (we've already seen this pattern among our real-world users twice). To
 prevent directory-traversal, it should be checking for `../` and `..\`,
 not just for `..`. Regardless of whether it's tasteful or not, `..` is a
 valid, in-use filename pattern and not an automatic indication of a
 security issue.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/42016#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform