Description: Upgrade/Install: Sanitize file name in File_Upload_Upgrader
Author: swisspidy@wordpress.org
Origin: upstream, https://core.trac.wordpress.org/changeset/38524
Applied-Upstream: 4.6.1
Reviewed-by: Craig Small <csmall@debian.org>
Last-Update: 2016-09-10
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
--- a/wp-admin/includes/class-wp-upgrader.php
+++ b/wp-admin/includes/class-wp-upgrader.php
@@ -2326,8 +2326,12 @@
 			if ( ! ( ( $uploads = wp_upload_dir() ) && false === $uploads['error'] ) )
 				wp_die( $uploads['error'] );
 
-			$this->filename = $_GET[$urlholder];
+			$this->filename = sanitize_file_name( $_GET[ $urlholder ] );
 			$this->package = $uploads['basedir'] . '/' . $this->filename;
+
+			if ( 0 !== strpos( realpath( $this->package ), realpath( $uploads['basedir'] ) ) ) {
+				wp_die( __( 'Please select a file' ) );
+			}
 		}
 	}
 
