diff -r 7b1b88e27a20 -r 48c4eec2b7e6 wp/wp-admin/includes/class-file-upload-upgrader.php
--- a/wp/wp-admin/includes/class-file-upload-upgrader.php Thu Sep 29 08:06:27 2022 +0200
+++ b/wp/wp-admin/includes/class-file-upload-upgrader.php Fri Sep 05 18:40:08 2025 +0200
@@ -16,6 +16,7 @@
* @since 2.8.0
* @since 4.6.0 Moved to its own file from wp-admin/includes/class-wp-upgrader.php.
*/
+#[AllowDynamicProperties]
class File_Upload_Upgrader {
/**
@@ -68,6 +69,30 @@
wp_die( $file['error'] );
}
+ if ( 'pluginzip' === $form || 'themezip' === $form ) {
+ if ( ! wp_zip_file_is_valid( $file['file'] ) ) {
+ wp_delete_file( $file['file'] );
+
+ if ( 'pluginzip' === $form ) {
+ $plugins_page = sprintf(
+ '%s',
+ self_admin_url( 'plugin-install.php' ),
+ __( 'Return to the Plugin Installer' )
+ );
+ wp_die( __( 'Incompatible Archive.' ) . '
' . $plugins_page );
+ }
+
+ if ( 'themezip' === $form ) {
+ $themes_page = sprintf(
+ '%s',
+ self_admin_url( 'theme-install.php' ),
+ __( 'Return to the Theme Installer' )
+ );
+ wp_die( __( 'Incompatible Archive.' ) . '
' . $themes_page );
+ }
+ }
+ }
+
$this->filename = $_FILES[ $form ]['name'];
$this->package = $file['file'];
@@ -107,14 +132,14 @@
$this->filename = sanitize_file_name( $_GET[ $urlholder ] );
$this->package = $uploads['basedir'] . '/' . $this->filename;
- if ( 0 !== strpos( realpath( $this->package ), realpath( $uploads['basedir'] ) ) ) {
+ if ( ! str_starts_with( realpath( $this->package ), realpath( $uploads['basedir'] ) ) ) {
wp_die( __( 'Please select a file' ) );
}
}
}
/**
- * Delete the attachment/uploaded file.
+ * Deletes the attachment/uploaded file.
*
* @since 3.2.2
*