validate_file( string $file, array $allowed_files = array() )

Validates a file name and path against an allowed set of rules.

Contents

Description Description

A return value of 1 means the file path contains directory traversal.

A return value of 2 means the file path contains a Windows drive path.

A return value of 3 means the file is not in the allowed files list.

Parameters Parameters

$file

(string) (Required) File path.

$allowed_files

(array) (Optional) List of allowed files.

Default value: array()

Top ↑

Return Return

(int) 0 means nothing is wrong, greater than 0 means something was wrong.

Top ↑

Source Source

File: wp-includes/functions.php

4781
4782
4783
4784
4785
4786
4787
4788
4789
4790
4791
4792
4793
4794
4795
4796
4797
4798
4799
4800
4801
4802
4803
4804
4805
4806
4807
4808
function validate_file( $file, $allowed_files = array() ) {
    // `../` on its own is not allowed:
    if ( '../' === $file ) {
        return 1;
    }
 
    // More than one occurence of `../` is not allowed:
    if ( preg_match_all( '#\.\./#', $file, $matches, PREG_SET_ORDER ) && ( count( $matches ) > 1 ) ) {
        return 1;
    }
 
    // `../` which does not occur at the end of the path is not allowed:
    if ( false !== strpos( $file, '../' ) && '../' !== mb_substr( $file, -3, 3 ) ) {
        return 1;
    }
 
    // Files not in the allowed file list are not allowed:
    if ( ! empty( $allowed_files ) && ! in_array( $file, $allowed_files ) ) {
        return 3;
    }
 
    // Absolute Windows drive paths are not allowed:
    if ( ':' == substr( $file, 1, 1 ) ) {
        return 2;
    }
 
    return 0;
}

Expand full source code Collapse full source code View on Trac

Top ↑

Changelog Changelog

Changelog
Version Description
1.2.0 Introduced.

Top ↑

Top ↑

Used By Used By

Used By
Used By Description
wp-admin/includes/file.php: wp_edit_theme_plugin_file()

Attempt to edit a file for a theme or plugin.
wp-admin/includes/ajax-actions.php: wp_ajax_delete_plugin()

Ajax handler for deleting a plugin.
wp-admin/includes/ajax-actions.php: wp_ajax_update_plugin()

Ajax handler for updating a plugin.
wp-admin/includes/plugin.php: validate_plugin()

Validate the plugin path.
wp-admin/includes/file.php: validate_file_to_edit()

Makes sure that the file that was requested to be edited is allowed to be edited.
wp-admin/includes/file.php: _unzip_file_ziparchive()

Attempts to unzip an archive using the ZipArchive class.
wp-admin/includes/file.php: _unzip_file_pclzip()

Attempts to unzip an archive using the PclZip library.
wp-includes/class-wp-customize-manager.php: WP_Customize_Manager::__construct()

Constructor.
wp-includes/load.php: wp_get_active_and_valid_plugins()

Retrieve an array of active and valid plugin files.
wp-includes/template.php: get_single_template()

Retrieve path of single template in current or parent template. Applies to single Posts, single Attachments, and single custom post types.
wp-includes/template.php: get_page_template()

Retrieve path of page template in current or parent template.
wp-includes/ms-load.php: wp_get_active_network_plugins()

Returns array of network plugin files to be included in global scope.
Show 7 more used by Hide more used by

Top ↑

User Contributed Notes User Contributed Notes

You must log in before being able to contribute a note or feedback.