wpseek.com
A WordPress-centric search engine for devs and theme authors
validate_file › WordPress Function
Since1.2.0
Deprecatedn/a
› validate_file ( $file, $allowed_files = array() )
Parameters: (2) |
|
Returns: |
|
Defined at: |
|
Codex: |
Validates a file name and path against an allowed set of rules.
A return value of1
means the file path contains directory traversal.
A return value of 2
means the file path contains a Windows drive path.
A return value of 3
means the file is not in the allowed files list.Related Functions: validate_email, validate_file_to_edit, validate_plugin, list_files, wp_validate_boolean
Source
function validate_file( $file, $allowed_files = array() ) { if ( ! is_scalar( $file ) || '' === $file ) { return 0; } // Normalize path for Windows servers. $file = wp_normalize_path( $file ); // Normalize path for $allowed_files as well so it's an apples to apples comparison. $allowed_files = array_map( 'wp_normalize_path', $allowed_files ); // `../` on its own is not allowed: if ( '../' === $file ) { return 1; } // More than one occurrence of `../` is not allowed: if ( preg_match_all( '#\.\./#', $file, $matches, PREG_SET_ORDER ) && ( count( $matches ) > 1 ) ) { return 1; } // `../` which does not occur at the end of the path is not allowed: if ( str_contains( $file, '../' ) && '../' !== mb_substr( $file, -3, 3 ) ) { return 1; } // Files not in the allowed file list are not allowed: if ( ! empty( $allowed_files ) && ! in_array( $file, $allowed_files, true ) ) { return 3; } // Absolute Windows drive paths are not allowed: if ( ':' === substr( $file, 1, 1 ) ) { return 2; } return 0; }