Validates a file name and path against an allowed set of rules.
Description
A return value of 1
means the file path contains directory traversal.
A return value of 2
means the file path contains a Windows drive path.
A return value of 3
means the file is not in the allowed files list.
Parameters
$file
stringrequired- File path.
$allowed_files
string[]optional- Array of allowed files.
Default:
array()
Source
function validate_file( $file, $allowed_files = array() ) {
if ( ! is_scalar( $file ) || '' === $file ) {
return 0;
}
// Normalize path for Windows servers.
$file = wp_normalize_path( $file );
// Normalize path for $allowed_files as well so it's an apples to apples comparison.
$allowed_files = array_map( 'wp_normalize_path', $allowed_files );
// `../` on its own is not allowed:
if ( '../' === $file ) {
return 1;
}
// More than one occurrence of `../` is not allowed:
if ( preg_match_all( '#\.\./#', $file, $matches, PREG_SET_ORDER ) && ( count( $matches ) > 1 ) ) {
return 1;
}
// `../` which does not occur at the end of the path is not allowed:
if ( str_contains( $file, '../' ) && '../' !== mb_substr( $file, -3, 3 ) ) {
return 1;
}
// Files not in the allowed file list are not allowed:
if ( ! empty( $allowed_files ) && ! in_array( $file, $allowed_files, true ) ) {
return 3;
}
// Absolute Windows drive paths are not allowed:
if ( ':' === substr( $file, 1, 1 ) ) {
return 2;
}
return 0;
}
Changelog
Version | Description |
---|---|
1.2.0 | Introduced. |
Valid file path
Invalid file path