WordPress 4.6.1
[autoinstalls/wordpress.git] / wp-admin / includes / class-file-upload-upgrader.php
index 35baa7faebcd6268516f4ecc48aeb5deff36f45a..eb4efe7121ebd5b89fabf3041f8718db9b9d0426 100644 (file)
@@ -100,8 +100,12 @@ class File_Upload_Upgrader {
                        if ( ! ( ( $uploads = wp_upload_dir() ) && false === $uploads['error'] ) )
                                wp_die( $uploads['error'] );
 
-                       $this->filename = $_GET[$urlholder];
+                       $this->filename = sanitize_file_name( $_GET[ $urlholder ] );
                        $this->package = $uploads['basedir'] . '/' . $this->filename;
+
+                       if ( 0 !== strpos( realpath( $this->package ), realpath( $uploads['basedir'] ) ) ) {
+                               wp_die( __( 'Please select a file' ) );
+                       }
                }
        }