wpseek.com
Eine auf WordPress spezialiserte Suchmaschine für Entwickler und Theme-Autoren

validate_file › WordPress Function

Seit1.2.0

Veraltetn/v

› validate_file ( $file, $allowed_files = array() )

Parameter: (2)	(string) $file File path. Erforderlich: Ja (string[]) $allowed_files Optional. Array of allowed files. Default empty array. Erforderlich: Nein Standard: array()
Gibt zurück:	(int) 0 means nothing is wrong, greater than 0 means something was wrong.
Definiert in:	wp-includes/functions.php , Zeile 6227
Codex:	developer.wordpress.org / validate_file

Validates a file name and path against an allowed set of rules.

A return value of 1 means the file path contains directory traversal. A return value of 2 means the file path contains a Windows drive path. A return value of 3 means the file is not in the allowed files list.

Quellcode

function validate_file( $file, $allowed_files = array() ) {
	if ( ! is_scalar( $file ) || '' === $file ) {
		return 0;
	}

	// Normalize path for Windows servers.
	$file = wp_normalize_path( $file );
	// Normalize path for $allowed_files as well so it's an apples to apples comparison.
	$allowed_files = array_map( 'wp_normalize_path', $allowed_files );

	// `../` on its own is not allowed:
	if ( '../' === $file ) {
		return 1;
	}

	// More than one occurrence of `../` is not allowed:
	if ( preg_match_all( '#\.\./#', $file, $matches, PREG_SET_ORDER ) && ( count( $matches ) > 1 ) ) {
		return 1;
	}

	// `../` which does not occur at the end of the path is not allowed:
	if ( str_contains( $file, '../' ) && '../' !== mb_substr( $file, -3, 3 ) ) {
		return 1;
	}

	// Files not in the allowed file list are not allowed:
	if ( ! empty( $allowed_files ) && ! in_array( $file, $allowed_files, true ) ) {
		return 3;
	}

	// Absolute Windows drive paths are not allowed:
	if ( ':' === substr( $file, 1, 1 ) ) {
		return 2;
	}

	return 0;
}