10h30/ultimatemember
1
0
Fork 0
mirror of https://github.com/10h30/ultimatemember.git synced 2026-06-05 15:09:37 +09:00
Code Issues Packages Projects Releases Wiki Activity

- fixed directory checking for localhosts;

Browse Source
This commit is contained in:
Nikita Sinelnikov
2022-10-10 15:29:30 +03:00
parent 0c8e24a194
commit 6746f0ce03
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
includes/core/class-shortcodes.php
+2 -2
View File
@@ -285,8 +285,8 @@ if ( ! class_exists( 'um\core\Shortcodes' ) ) {
if ( file_exists( $file ) ) {
// Avoid Directory Traversal vulnerability by the checking the realpath.
// Templates can be situated only in the get_stylesheet_directory() or plugindir templates.
$real_file = realpath( $file );
if ( 0 === strpos( $real_file, um_path . "templates" . DIRECTORY_SEPARATOR ) || 0 === strpos( $real_file, get_stylesheet_directory() . DIRECTORY_SEPARATOR . 'ultimate-member' . DIRECTORY_SEPARATOR . 'templates' . DIRECTORY_SEPARATOR ) ) {
$real_file = wp_normalize_path( realpath( $file ) );
if ( 0 === strpos( $real_file, wp_normalize_path( um_path . "templates" . DIRECTORY_SEPARATOR ) ) || 0 === strpos( $real_file, wp_normalize_path( get_stylesheet_directory() . DIRECTORY_SEPARATOR . 'ultimate-member' . DIRECTORY_SEPARATOR . 'templates' . DIRECTORY_SEPARATOR ) ) ) {
include $file;
}
}