W3cubDocs

/WordPress

validate_file( string $file, string[] $allowed_files = array() )

Validates a file name and path against an allowed set of rules.

Description

A return value of 1 means the file path contains directory traversal.

A return value of 2 means the file path contains a Windows drive path.

A return value of 3 means the file is not in the allowed files list.

Parameters

$file

(string) (Required) File path.

$allowed_files

(string[]) (Optional) Array of allowed files.

Default value: array()

Return

(int) 0 means nothing is wrong, greater than 0 means something was wrong.

Source

File: wp-includes/functions.php 

function validate_file( $file, $allowed_files = array() ) {
	// `../` on its own is not allowed:
	if ( '../' === $file ) {
		return 1;
	}

	// More than one occurence of `../` is not allowed:
	if ( preg_match_all( '#\.\./#', $file, $matches, PREG_SET_ORDER ) && ( count( $matches ) > 1 ) ) {
		return 1;
	}

	// `../` which does not occur at the end of the path is not allowed:
	if ( false !== strpos( $file, '../' ) && '../' !== mb_substr( $file, -3, 3 ) ) {
		return 1;
	}

	// Files not in the allowed file list are not allowed:
	if ( ! empty( $allowed_files ) && ! in_array( $file, $allowed_files, true ) ) {
		return 3;
	}

	// Absolute Windows drive paths are not allowed:
	if ( ':' === substr( $file, 1, 1 ) ) {
		return 2;
	}

	return 0;
}

Used By

Used By Description
wp-includes/rest-api/endpoints/class-wp-rest-plugins-controller.php: WP_REST_Plugins_Controller::validate_plugin_param()

Checks that the “plugin” parameter is a valid path.
wp-admin/includes/file.php: wp_edit_theme_plugin_file()

Attempts to edit a file for a theme or plugin.
wp-admin/includes/ajax-actions.php: wp_ajax_delete_plugin()

Ajax handler for deleting a plugin.
wp-admin/includes/ajax-actions.php: wp_ajax_update_plugin()

Ajax handler for updating a plugin.
wp-admin/includes/plugin.php: validate_plugin()

Validate the plugin path.
wp-admin/includes/file.php: validate_file_to_edit()

Makes sure that the file that was requested to be edited is allowed to be edited.
wp-admin/includes/file.php: _unzip_file_ziparchive()

Attempts to unzip an archive using the ZipArchive class.
wp-admin/includes/file.php: _unzip_file_pclzip()

Attempts to unzip an archive using the PclZip library.
wp-includes/class-wp-customize-manager.php: WP_Customize_Manager::__construct()

Constructor.
wp-includes/load.php: wp_get_active_and_valid_plugins()

Retrieve an array of active and valid plugin files.
wp-includes/template.php: get_single_template()

Retrieve path of single template in current or parent template. Applies to single Posts, single Attachments, and single custom post types.
wp-includes/template.php: get_page_template()

Retrieve path of page template in current or parent template.
wp-includes/ms-load.php: wp_get_active_network_plugins()

Returns array of network plugin files to be included in global scope.

Changelog

Version Description
1.2.0 Introduced.

© 2003–2019 WordPress Foundation
Licensed under the GNU GPLv2+ License.
https://developer.wordpress.org/reference/functions/validate_file