[wp-trac] [WordPress Trac] #49865: _unzip_file_pclzip attempting to create directories all the way up to /

WordPress Trac noreply at wordpress.org
Thu Apr 9 20:33:07 UTC 2020 

#49865: _unzip_file_pclzip attempting to create directories all the way up to /
-----------------------------+-----------------------------
 Reporter:  mwheelermindbox  |      Owner:  (none)
     Type:  defect (bug)     |     Status:  new
 Priority:  normal           |  Milestone:  Awaiting Review
Component:  Filesystem API   |    Version:  5.4
 Severity:  normal           |   Keywords:
  Focuses:  administration   |
-----------------------------+-----------------------------
 In wp-admin/includes/file.php _unzip_file_pclzip looks to be attempting to
 create directories all the way up to / (the root directory of the server).

 Line 1411:

 {{{
 $to          = trailingslashit( $to );

 }}}
 Adds a trailing slash to the destination path.

 Line 1636:

 {{{
 $needed_dirs[] = $to . untrailingslashit( $file['folder'] ?
 $file['filename'] : dirname( $file['filename'] ) );

 }}}
 Adds the $to directory to $needed_dirs if there are files at the root
 level of the archive.

 Line 1655:

 {{{
 if ( untrailingslashit( $to ) == $dir ) {
 }}}

 attempts to skip the $to directory, but since the top-level path in
 $needed_dirs includes a trailing slash this check fails.

 So then lines 1663-1666:

 {{{
 while ( ! empty( $parent_folder ) && untrailingslashit( $to ) !=
 $parent_folder && ! in_array( $parent_folder, $needed_dirs ) ) {
         $needed_dirs[] = $parent_folder;
         $parent_folder = dirname( $parent_folder );
 }
 }}}
 add every directory all the way up to /, the root of the server to
 $needed_dirs

 Finally line 1673:

 {{{
 if ( ! $wp_filesystem->mkdir( $_dir, FS_CHMOD_DIR ) && !
 $wp_filesystem->is_dir( $_dir ) ) {
 }}}

 throws an error when checking if / is a directory and the entire unzip
 fails.

 If I remove untrailingslashit from line 1655 (or wrap $dir in
 untrailingslashit as well) that check works as designed and the problem is
 avoided.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/49865>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list