Mercurial Mercurial > enmi-conf.org / diff
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
wp/wp-includes/functions.php
changeset 13 d255fe9cd479
parent 9 177826044cd9
child 16 a86126ab1dd4 
--- a/wp/wp-includes/functions.php	Tue Oct 15 11:56:20 2019 +0200
+++ b/wp/wp-includes/functions.php	Tue Oct 15 15:48:13 2019 +0200
@@ -1787,6 +1787,11 @@
 		return @is_dir( $target );
 	}
 
+	// Do not allow path traversals.
+	if ( false !== strpos( $target, '../' ) || false !== strpos( $target, '..' . DIRECTORY_SEPARATOR ) ) {
+		return false;
+	}
+
 	// We need to find the permissions of the parent folder that exists and inherit that.
 	$target_parent = dirname( $target );
 	while ( '.' != $target_parent && ! is_dir( $target_parent ) && dirname( $target_parent ) !== $target_parent ) {
enmi-conf.org