validate_file( string $file, string[] $allowed_files = array() ): int
Validates a file name and path against an allowed set of rules.
Description
A return value of 1 means the file path contains directory traversal.
A return value of 2 means the file path contains a Windows drive path.
A return value of 3 means the file is not in the allowed files list.
Parameters
$filestring Required-
File path.
$allowed_filesstring[] Optional-
Array of allowed files.
Default:
array()
Return
int 0 means nothing is wrong, greater than 0 means something was wrong.
Source
File: wp-includes/functions.php. View all references
function validate_file( $file, $allowed_files = array() ) {
if ( ! is_scalar( $file ) || '' === $file ) {
return 0;
}
// `../` on its own is not allowed:
if ( '../' === $file ) {
return 1;
}
// More than one occurrence of `../` is not allowed:
if ( preg_match_all( '#\.\./#', $file, $matches, PREG_SET_ORDER ) && ( count( $matches ) > 1 ) ) {
return 1;
}
// `../` which does not occur at the end of the path is not allowed:
if ( false !== strpos( $file, '../' ) && '../' !== mb_substr( $file, -3, 3 ) ) {
return 1;
}
// Files not in the allowed file list are not allowed:
if ( ! empty( $allowed_files ) && ! in_array( $file, $allowed_files, true ) ) {
return 3;
}
// Absolute Windows drive paths are not allowed:
if ( ':' === substr( $file, 1, 1 ) ) {
return 2;
}
return 0;
}
Related
Used By
| Used By | Description |
|---|---|
| WP_REST_Plugins_Controller::validate_plugin_param() wp-includes/rest-api/endpoints/class-wp-rest-plugins-controller.php | Checks that the “plugin” parameter is a valid path. |
| wp_edit_theme_plugin_file() wp-admin/includes/file.php | Attempts to edit a file for a theme or plugin. |
| wp_ajax_delete_plugin() wp-admin/includes/ajax-actions.php | Ajax handler for deleting a plugin. |
| wp_ajax_update_plugin() wp-admin/includes/ajax-actions.php | Ajax handler for updating a plugin. |
| validate_plugin() wp-admin/includes/plugin.php | Validates the plugin path. |
| validate_file_to_edit() wp-admin/includes/file.php | Makes sure that the file that was requested to be edited is allowed to be edited. |
| download_url() wp-admin/includes/file.php | Downloads a URL to a local temporary file using the WordPress HTTP API. |
| _unzip_file_ziparchive() wp-admin/includes/file.php | Attempts to unzip an archive using the ZipArchive class. |
| _unzip_file_pclzip() wp-admin/includes/file.php | Attempts to unzip an archive using the PclZip library. |
| WP_Customize_Manager::__construct() wp-includes/class-wp-customize-manager.php | Constructor. |
| wp_get_active_and_valid_plugins() wp-includes/load.php | Retrieve an array of active and valid plugin files. |
| get_single_template() wp-includes/template.php | Retrieves path of single template in current or parent template. Applies to single Posts, single Attachments, and single custom post types. |
| get_page_template() wp-includes/template.php | Retrieves path of page template in current or parent template. |
| wp_get_active_network_plugins() wp-includes/ms-load.php | Returns array of network plugin files to be included in global scope. |
Changelog
| Version | Description |
|---|---|
| 1.2.0 | Introduced. |
© 2003–2022 WordPress Foundation
Licensed under the GNU GPLv2+ License.
https://developer.wordpress.org/reference/functions/validate_file