From 2f3e91028aa470139120380c3bae713482eeb06d Mon Sep 17 00:00:00 2001
From: John Blackbourn <johnbillion@git.wordpress.org>
Date: Tue, 24 Oct 2017 23:15:49 +0000
Subject: [PATCH] Filesystem API: Add more specificity to the rules for valid
 files in `validate_file()`.

This now treats files containing `./` as valid, and also treats files containing a trailing `../` as valid due to widespread use of this pattern in theme and plugin zip files.

Adds tests.

Props Ipstenu, borgesbruno, DavidAnderson, philipjohn, birgire
Fixes #42016, #36170

Built from https://develop.svn.wordpress.org/trunk@42011


git-svn-id: http://core.svn.wordpress.org/trunk@41845 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-admin/includes/file.php |  2 +-
 wp-includes/functions.php  | 17 ++++++++++++++---
 wp-includes/version.php    |  2 +-
 3 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/wp-admin/includes/file.php b/wp-admin/includes/file.php
index 416433e5a5..a834e5e161 100644
--- a/wp-admin/includes/file.php
+++ b/wp-admin/includes/file.php
@@ -663,7 +663,7 @@ function wp_tempnam( $filename = '', $dir = '' ) {
  * @param array  $allowed_files Optional. Array of allowed files to edit, $file must match an entry exactly.
  * @return string|null
  */
-function validate_file_to_edit( $file, $allowed_files = '' ) {
+function validate_file_to_edit( $file, $allowed_files = array() ) {
 	$code = validate_file( $file, $allowed_files );
 
 	if (!$code )
diff --git a/wp-includes/functions.php b/wp-includes/functions.php
index a9c53d31e4..b5d21285b6 100644
--- a/wp-includes/functions.php
+++ b/wp-includes/functions.php
@@ -4252,16 +4252,27 @@ function iis7_supports_permalinks() {
  * @param array  $allowed_files Optional. List of allowed files.
  * @return int 0 means nothing is wrong, greater than 0 means something was wrong.
  */
-function validate_file( $file, $allowed_files = '' ) {
-	if ( false !== strpos( $file, '..' ) )
+function validate_file( $file, $allowed_files = array() ) {
+	// `../` on its own is not allowed:
+	if ( '../' === $file ) {
 		return 1;
+	}
 
-	if ( false !== strpos( $file, './' ) )
+	// More than one occurence of `../` is not allowed:
+	if ( preg_match_all( '#\.\./#', $file, $matches, PREG_SET_ORDER ) && ( count( $matches ) > 1 ) ) {
 		return 1;
+	}
 
+	// `../` which does not occur at the end of the path is not allowed:
+	if ( false !== strpos( $file, '../' ) && '../' !== mb_substr( $file, -3, 3 ) ) {
+		return 1;
+	}
+
+	// Files not in the allowed file list are not allowed:
 	if ( ! empty( $allowed_files ) && ! in_array( $file, $allowed_files ) )
 		return 3;
 
+	// Absolute Windows drive paths are not allowed:
 	if (':' == substr( $file, 1, 1 ) )
 		return 2;
 
diff --git a/wp-includes/version.php b/wp-includes/version.php
index b8b08e48d2..80b979c518 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -4,7 +4,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '4.9-beta3-42010';
+$wp_version = '4.9-beta3-42011';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.