X-Git-Url: https://scripts.mit.edu/gitweb/autoinstalls/wordpress.git/blobdiff_plain/607b7e02d77e7326161e8ec15639052d2040f745..3d39054f012aefe514b3f5509e32f09fc4feda44:/wp-admin/includes/class-file-upload-upgrader.php?ds=sidebyside

diff --git a/wp-admin/includes/class-file-upload-upgrader.php b/wp-admin/includes/class-file-upload-upgrader.php
index 35baa7fa..eb4efe71 100644
--- a/wp-admin/includes/class-file-upload-upgrader.php
+++ b/wp-admin/includes/class-file-upload-upgrader.php
@@ -100,8 +100,12 @@ class File_Upload_Upgrader {
 			if ( ! ( ( $uploads = wp_upload_dir() ) && false === $uploads['error'] ) )
 				wp_die( $uploads['error'] );
 
-			$this->filename = $_GET[$urlholder];
+			$this->filename = sanitize_file_name( $_GET[ $urlholder ] );
 			$this->package = $uploads['basedir'] . '/' . $this->filename;
+
+			if ( 0 !== strpos( realpath( $this->package ), realpath( $uploads['basedir'] ) ) ) {
+				wp_die( __( 'Please select a file' ) );
+			}
 		}
 	}