enmi-conf.org: comparison wp/wp-admin/includes/file.php

equal deleted inserted replaced

-:be944660c56a
+:3d72ae0968f4
 		'yaml',
 		'yml',
 	);
 	/**
-	 * Filters the list of file types allowed for editing in the plugin editor.
+	 * Filters the list of file types allowed for editing in the plugin file editor.
 	 *
 	 * @since 2.8.0
 	 * @since 4.9.0 Added the `$plugin` parameter.
 	 *
 	 * @param string[] $default_types An array of editable plugin file extensions.
 		'yaml',
 		'yml',
 	);
 	/**
-	 * Filters the list of file types allowed for editing in the theme editor.
+	 * Filters the list of file types allowed for editing in the theme file editor.
 	 *
 	 * @since 4.4.0
 	 *
 	 * @param string[] $default_types An array of editable theme file extensions.
-	 * @param WP_Theme $theme         The current theme object.
+	 * @param WP_Theme $theme         The active theme object.
 	 */
 	$file_types = apply_filters( 'wp_theme_editor_filetypes', $default_types, $theme );
 	// Ensure that default types are still there.
 	return array_unique( array_merge( $file_types, $default_types ) );
 	switch ( $code ) {
 		case 1:
 			wp_die( __( 'Sorry, that file cannot be edited.' ) );
 			// case 2 :
-			// wp_die( __('Sorry, can&#8217;t call files with their real path.' ));
+			// wp_die( __('Sorry, cannot call files with their real path.' ));
 		case 3:
 			wp_die( __( 'Sorry, that file cannot be edited.' ) );
 	}
 }
 * @access private
 * @since 4.0.0
 *
 * @see wp_handle_upload_error
 *
-* @param string[]       $file      Reference to a single element of `$_FILES`.
+* @param array       $file      {
-*                                  Call the function once for each uploaded file.
+*     Reference to a single element from `$_FILES`. Call the function once for each uploaded file.
-* @param array|false    $overrides {
+*
+*     @type string $name     The original name of the file on the client machine.
+*     @type string $type     The mime type of the file, if the browser provided this information.
+*     @type string $tmp_name The temporary filename of the file in which the uploaded file was stored on the server.
+*     @type int    $size     The size, in bytes, of the uploaded file.
+*     @type int    $error    The error code associated with this file upload.
+* }
+* @param array|false $overrides {
 *     An array of override parameters for this file, or boolean false if none are provided.
 *
 *     @type callable $upload_error_handler     Function to call when there is an error during the upload process.
 *                                              @see wp_handle_upload_error().
 *     @type callable $unique_filename_callback Function to call when determining a unique file name for the file.
 *     @type bool     $test_form                Whether to test that the `$_POST['action']` parameter is as expected.
 *     @type bool     $test_size                Whether to test that the file size is greater than zero bytes.
 *     @type bool     $test_type                Whether to test that the mime type of the file is as expected.
 *     @type string[] $mimes                    Array of allowed mime types keyed by their file extension regex.
 * }
-* @param string         $time      Time formatted in 'yyyy/mm'.
+* @param string      $time      Time formatted in 'yyyy/mm'.
-* @param string         $action    Expected value for `$_POST['action']`.
+* @param string      $action    Expected value for `$_POST['action']`.
-* @return string[] On success, returns an associative array of file attributes.
+* @return array {
-*                  On failure, returns `$overrides['upload_error_handler']( &$file, $message )`
+*     On success, returns an associative array of file attributes.
-*                  or `array( 'error' => $message )`.
+*     On failure, returns `$overrides['upload_error_handler']( &$file, $message )`
+*     or `array( 'error' => $message )`.
+*
+*     @type string $file Filename of the newly-uploaded file.
+*     @type string $url  URL of the newly-uploaded file.
+*     @type string $type Mime type of the newly-uploaded file.
+* }
 */
 function _wp_handle_upload( &$file, $overrides, $time, $action ) {
 	// The default error handler.
 	if ( ! function_exists( 'wp_handle_upload_error' ) ) {
 		function wp_handle_upload_error( &$file, $message ) {
 	 *  - `wp_handle_upload_prefilter`
 	 *
 	 * @since 2.9.0 as 'wp_handle_upload_prefilter'.
 	 * @since 4.0.0 Converted to a dynamic hook with `$action`.
 	 *
-	 * @param string[] $file An array of data for the file. Reference to a single element of `$_FILES`.
+	 * @param array $file {
+	 *     Reference to a single element from `$_FILES`.
+	 *
+	 *     @type string $name     The original name of the file on the client machine.
+	 *     @type string $type     The mime type of the file, if the browser provided this information.
+	 *     @type string $tmp_name The temporary filename of the file in which the uploaded file was stored on the server.
+	 *     @type int    $size     The size, in bytes, of the uploaded file.
+	 *     @type int    $error    The error code associated with this file upload.
+	 * }
 	 */
 	$file = apply_filters( "{$action}_prefilter", $file );
 	/**
 	 * Filters the override parameters for a file before it is uploaded to WordPress.
 	 *
 	 * @since 5.7.0
 	 *
 	 * @param array|false $overrides An array of override parameters for this file. Boolean false if none are
 	 *                               provided. @see _wp_handle_upload().
-	 * @param string[]    $file      An array of data for the file. Reference to a single element of `$_FILES`.
+	 * @param array       $file      {
+	 *     Reference to a single element from `$_FILES`.
+	 *
+	 *     @type string $name     The original name of the file on the client machine.
+	 *     @type string $type     The mime type of the file, if the browser provided this information.
+	 *     @type string $tmp_name The temporary filename of the file in which the uploaded file was stored on the server.
+	 *     @type int    $size     The size, in bytes, of the uploaded file.
+	 *     @type int    $error    The error code associated with this file upload.
+	 * }
 	 */
 	$overrides = apply_filters( "{$action}_overrides", $overrides, $file );
 	// You may define your own function and pass the name in $overrides['upload_error_handler'].
 	$upload_error_handler = 'wp_handle_upload_error';
 		if ( $proper_filename ) {
 			$file['name'] = $proper_filename;
 		}
 		if ( ( ! $type || ! $ext ) && ! current_user_can( 'unfiltered_upload' ) ) {
-			return call_user_func_array( $upload_error_handler, array( &$file, __( 'Sorry, this file type is not permitted for security reasons.' ) ) );
+			return call_user_func_array( $upload_error_handler, array( &$file, __( 'Sorry, you are not allowed to upload this file type.' ) ) );
 		}
 		if ( ! $type ) {
 			$type = $file['type'];
 		}
 	 * error reporting will be completely skipped.
 	 *
 	 * @since 4.9.0
 	 *
 	 * @param mixed    $move_new_file If null (default) move the file after the upload.
-	 * @param string[] $file          An array of data for a single file.
+	 * @param array    $file          {
+	 *     Reference to a single element from `$_FILES`.
+	 *
+	 *     @type string $name     The original name of the file on the client machine.
+	 *     @type string $type     The mime type of the file, if the browser provided this information.
+	 *     @type string $tmp_name The temporary filename of the file in which the uploaded file was stored on the server.
+	 *     @type int    $size     The size, in bytes, of the uploaded file.
+	 *     @type int    $error    The error code associated with this file upload.
+	 * }
 	 * @param string   $new_file      Filename of the newly-uploaded file.
 	 * @param string   $type          Mime type of the newly-uploaded file.
 	 */
 	$move_new_file = apply_filters( 'pre_move_uploaded_file', null, $file, $new_file, $type );
 *
 * @see _wp_handle_upload()
 *
 * @param array       $file      Reference to a single element of `$_FILES`.
 *                               Call the function once for each uploaded file.
+*                               See _wp_handle_upload() for accepted values.
 * @param array|false $overrides Optional. An associative array of names => values
 *                               to override default variables. Default false.
+*                               See _wp_handle_upload() for accepted values.
 * @param string      $time      Optional. Time formatted in 'yyyy/mm'. Default null.
-* @return array On success, returns an associative array of file attributes.
+* @return array See _wp_handle_upload() for return value.
-*               On failure, returns `$overrides['upload_error_handler']( &$file, $message )`
-*               or `array( 'error' => $message )`.
 */
 function wp_handle_upload( &$file, $overrides = false, $time = null ) {
 	/*
 	 *  $_POST['action'] must be set and its value must equal $overrides['action']
 	 *  or this:
 *
 * @see _wp_handle_upload()
 *
 * @param array       $file      Reference to a single element of `$_FILES`.
 *                               Call the function once for each uploaded file.
+*                               See _wp_handle_upload() for accepted values.
 * @param array|false $overrides Optional. An associative array of names => values
 *                               to override default variables. Default false.
+*                               See _wp_handle_upload() for accepted values.
 * @param string      $time      Optional. Time formatted in 'yyyy/mm'. Default null.
-* @return array On success, returns an associative array of file attributes.
+* @return array See _wp_handle_upload() for return value.
-*               On failure, returns `$overrides['upload_error_handler']( &$file, $message )`
-*               or `array( 'error' => $message )`.
 */
 function wp_handle_sideload( &$file, $overrides = false, $time = null ) {
 	/*
 	 *  $_POST['action'] must be set and its value must equal $overrides['action']
 	 *  or this:
 *
 * Please note that the calling function must unlink() the file.
 *
 * @since 2.5.0
 * @since 5.2.0 Signature Verification with SoftFail was added.
+* @since 5.9.0 Support for Content-Disposition filename was added.
 *
 * @param string $url                    The URL of the file to download.
 * @param int    $timeout                The timeout for the request to download the file.
 *                                       Default 300 seconds.
 * @param bool   $signature_verification Whether to perform Signature Verification.
 	// WARNING: The file is not automatically deleted, the script must unlink() the file.
 	if ( ! $url ) {
 		return new WP_Error( 'http_no_url', __( 'Invalid URL Provided.' ) );
 	}
-	$url_filename = basename( parse_url( $url, PHP_URL_PATH ) );
+	$url_path     = parse_url( $url, PHP_URL_PATH );
+	$url_filename = '';
+	if ( is_string( $url_path ) && '' !== $url_path ) {
+		$url_filename = basename( $url_path );
+	}
 	$tmpfname = wp_tempnam( $url_filename );
 	if ( ! $tmpfname ) {
 		return new WP_Error( 'http_no_file', __( 'Could not create temporary file.' ) );
 	}
 		unlink( $tmpfname );
 		return new WP_Error( 'http_404', trim( wp_remote_retrieve_response_message( $response ) ), $data );
 	}
+	$content_disposition = wp_remote_retrieve_header( $response, 'content-disposition' );
+	if ( $content_disposition ) {
+		$content_disposition = strtolower( $content_disposition );
+		if ( 0 === strpos( $content_disposition, 'attachment; filename=' ) ) {
+			$tmpfname_disposition = sanitize_file_name( substr( $content_disposition, 21 ) );
+		} else {
+			$tmpfname_disposition = '';
+		}
+		// Potential file name must be valid string.
+		if ( $tmpfname_disposition && is_string( $tmpfname_disposition )
+			&& ( 0 === validate_file( $tmpfname_disposition ) )
+		) {
+			$tmpfname_disposition = dirname( $tmpfname ) . '/' . $tmpfname_disposition;
+			if ( rename( $tmpfname, $tmpfname_disposition ) ) {
+				$tmpfname = $tmpfname_disposition;
+			}
+			if ( ( $tmpfname !== $tmpfname_disposition ) && file_exists( $tmpfname_disposition ) ) {
+				unlink( $tmpfname_disposition );
+			}
+		}
+	}
 	$content_md5 = wp_remote_retrieve_header( $response, 'content-md5' );
 	if ( $content_md5 ) {
 		$md5_check = verify_file_md5( $tmpfname, $content_md5 );
 		if ( ! $signature ) {
 			// Retrieve signatures from a file if the header wasn't included.
 			// WordPress.org stores signatures at $package_url.sig.
 			$signature_url = false;
-			$url_path      = parse_url( $url, PHP_URL_PATH );
+			if ( is_string( $url_path ) && ( '.zip' === substr( $url_path, -4 ) || '.tar.gz' === substr( $url_path, -7 ) ) ) {
-			if ( '.zip' === substr( $url_path, -4 ) || '.tar.gz' === substr( $url_path, -7 ) ) {
 				$signature_url = str_replace( $url_path, $url_path . '.sig', $url );
 			}
 			/**
 			 * Filters the URL where the signature for a file is located.
 				}
 			}
 		}
 		// Perform the checks.
-		$signature_verification = verify_file_signature( $tmpfname, $signature, basename( parse_url( $url, PHP_URL_PATH ) ) );
+		$signature_verification = verify_file_signature( $tmpfname, $signature, $url_filename );
 	}
 	if ( is_wp_error( $signature_verification ) ) {
 		if (
 			/**
 				__( 'The authenticity of %s could not be verified as signature verification is unavailable on this system.' ),
 				'<span class="code">' . esc_html( $filename_for_errors ) . '</span>'
 			),
 			array(
 				'php'    => phpversion(),
-				// phpcs:ignore PHPCompatibility.Constants.NewConstants.sodium_library_versionFound
 				'sodium' => defined( 'SODIUM_LIBRARY_VERSION' ) ? SODIUM_LIBRARY_VERSION : ( defined( 'ParagonIE_Sodium_Compat::VERSION_STRING' ) ? ParagonIE_Sodium_Compat::VERSION_STRING : false ),
 			)
 		);
 	}
 	if ( ! extension_loaded( 'sodium' ) && ! ParagonIE_Sodium_Compat::polyfill_is_fast() ) {
 		$sodium_compat_is_fast = false;
 		// Allow for an old version of Sodium_Compat being loaded before the bundled WordPress one.
 		if ( method_exists( 'ParagonIE_Sodium_Compat', 'runtime_speed_test' ) ) {
-			// Run `ParagonIE_Sodium_Compat::runtime_speed_test()` in optimized integer mode, as that's what WordPress utilises during signing verifications.
+			/*
+			 * Run `ParagonIE_Sodium_Compat::runtime_speed_test()` in optimized integer mode,
+			 * as that's what WordPress utilizes during signing verifications.
+			 */
 			// phpcs:disable WordPress.NamingConventions.ValidVariableName
 			$old_fastMult                      = ParagonIE_Sodium_Compat::$fastMult;
 			ParagonIE_Sodium_Compat::$fastMult = true;
 			$sodium_compat_is_fast             = ParagonIE_Sodium_Compat::runtime_speed_test( 100, 10 );
 			ParagonIE_Sodium_Compat::$fastMult = $old_fastMult;
 					__( 'The authenticity of %s could not be verified as signature verification is unavailable on this system.' ),
 					'<span class="code">' . esc_html( $filename_for_errors ) . '</span>'
 				),
 				array(
 					'php'                => phpversion(),
-					// phpcs:ignore PHPCompatibility.Constants.NewConstants.sodium_library_versionFound
 					'sodium'             => defined( 'SODIUM_LIBRARY_VERSION' ) ? SODIUM_LIBRARY_VERSION : ( defined( 'ParagonIE_Sodium_Compat::VERSION_STRING' ) ? ParagonIE_Sodium_Compat::VERSION_STRING : false ),
 					'polyfill_is_fast'   => false,
 					'max_execution_time' => ini_get( 'max_execution_time' ),
 				)
 			);
 			'signatures'  => $signatures,
 			'hash'        => bin2hex( $file_hash ),
 			'skipped_key' => $skipped_key,
 			'skipped_sig' => $skipped_signature,
 			'php'         => phpversion(),
-			// phpcs:ignore PHPCompatibility.Constants.NewConstants.sodium_library_versionFound
 			'sodium'      => defined( 'SODIUM_LIBRARY_VERSION' ) ? SODIUM_LIBRARY_VERSION : ( defined( 'ParagonIE_Sodium_Compat::VERSION_STRING' ) ? ParagonIE_Sodium_Compat::VERSION_STRING : false ),
 		)
 	);
 }
 	 * disk_free_space() could return false. Assume that any falsey value is an error.
 	 * A disk that has zero free bytes has bigger problems.
 	 * Require we have enough space to unzip the file and copy its contents, with a 10% buffer.
 	 */
 	if ( wp_doing_cron() ) {
-		$available_space = @disk_free_space( WP_CONTENT_DIR );
+		$available_space = function_exists( 'disk_free_space' ) ? @disk_free_space( WP_CONTENT_DIR ) : false;
 		if ( $available_space && ( $uncompressed_size * 2.1 ) > $available_space ) {
 			return new WP_Error(
 				'disk_full_unzip_file',
 				__( 'Could not copy files. You may have run out of disk space.' ),
 	 * disk_free_space() could return false. Assume that any falsey value is an error.
 	 * A disk that has zero free bytes has bigger problems.
 	 * Require we have enough space to unzip the file and copy its contents, with a 10% buffer.
 	 */
 	if ( wp_doing_cron() ) {
-		$available_space = @disk_free_space( WP_CONTENT_DIR );
+		$available_space = function_exists( 'disk_free_space' ) ? @disk_free_space( WP_CONTENT_DIR ) : false;
 		if ( $available_space && ( $uncompressed_size * 2.1 ) > $available_space ) {
 			return new WP_Error(
 				'disk_full_unzip_file',
 				__( 'Could not copy files. You may have run out of disk space.' ),
 * Plugins may override this form by returning true|false via the {@see 'request_filesystem_credentials'} filter.
 *
 * @since 2.5.0
 * @since 4.6.0 The `$context` parameter default changed from `false` to an empty string.
 *
-* @global string $pagenow
+* @global string $pagenow The filename of the current screen.
 *
 * @param string        $form_post                    The URL to post the form to.
 * @param string        $type                         Optional. Chosen type of filesystem. Default empty.
 * @param bool|WP_Error $error                        Optional. Whether the current request has failed
 *                                                    to connect, or an error object. Default false.

changeset 19	3d72ae0968f4
parent 18	be944660c56a
child 21	48c4eec2b7e6