Why are double-periods (“..”) invalid in a WordPress image filename?

ms-files.php contains the following code fragment:

$file = rtrim( BLOGUPLOADDIR, '/' ) . '/' . str_replace( '..', '', $_GET[ 'file' ] );
if ( !is_file( $file ) ) {
    status_header( 404 );
    die( '404 — File not found.' );
}

This code determines whether or not the file can be found. However, it does something that I find… Odd. It removes all double-periods (“..”) from the string. Normally, this doesn’t matter, but we’ve had users upload files with two periods in a row (sigh), causing this portion of the code to incorrectly report code 404 (not found).

Read More

I’m tempted to remove the strange double-period-removing nature of this code, but I fear that I’ll inadvertently break something else. Why is this functionality present as it is coded?

Thanks! 🙂

Edit: To be clear, it would appear that double-periods are NOT invalid in WordPress, but they can’t be served up by this bit of code… So, they’re not invalid, but when accessed via this mechanism, 404 is incorrectly reported.

Related posts

1 comment

  1. Looks like this is a defect. Ish.

    As @s_ha_dum mentioned, this is to prevent a directory traversal attack. However, WordPress’ Media Library will happily let you upload a file with two or more periods in a row, even if ms-files.php will refuse to serve it up.

    So, nothing is technically “broken”, but this certainly isn’t ideal. There’s a patch to prevent this, but it looks like it was never actually added to the core:

    https://core.trac.wordpress.org/attachment/ticket/16189/check%20for%20double%20periods.diff

    More info on this defect:
    https://core.trac.wordpress.org/ticket/12756

Comments are closed.