validate_file

The timeline below displays how wordpress function validate_file has changed across different WordPress versions. If a version is not listed, refer to the next available version below.

WordPress Version: 6.3

/**
 * Validates a file name and path against an allowed set of rules.
 *
 * A return value of `1` means the file path contains directory traversal.
 *
 * A return value of `2` means the file path contains a Windows drive path.
 *
 * A return value of `3` means the file is not in the allowed files list.
 *
 * @since 1.2.0
 *
 * @param string   $file          File path.
 * @param string[] $allowed_files Optional. Array of allowed files. Default empty array.
 * @return int 0 means nothing is wrong, greater than 0 means something was wrong.
 */
function validate_file($file, $allowed_files = array())
{
    if (!is_scalar($file) || '' === $file) {
        return 0;
    }
    // `../` on its own is not allowed:
    if ('../' === $file) {
        return 1;
    }
    // More than one occurrence of `../` is not allowed:
    if (preg_match_all('#\.\./#', $file, $matches, PREG_SET_ORDER) && count($matches) > 1) {
        return 1;
    }
    // `../` which does not occur at the end of the path is not allowed:
    if (str_contains($file, '../') && '../' !== mb_substr($file, -3, 3)) {
        return 1;
    }
    // Files not in the allowed file list are not allowed:
    if (!empty($allowed_files) && !in_array($file, $allowed_files, true)) {
        return 3;
    }
    // Absolute Windows drive paths are not allowed:
    if (':' === substr($file, 1, 1)) {
        return 2;
    }
    return 0;
}

WordPress Version: 6.2

/**
 * Validates a file name and path against an allowed set of rules.
 *
 * A return value of `1` means the file path contains directory traversal.
 *
 * A return value of `2` means the file path contains a Windows drive path.
 *
 * A return value of `3` means the file is not in the allowed files list.
 *
 * @since 1.2.0
 *
 * @param string   $file          File path.
 * @param string[] $allowed_files Optional. Array of allowed files. Default empty array.
 * @return int 0 means nothing is wrong, greater than 0 means something was wrong.
 */
function validate_file($file, $allowed_files = array())
{
    if (!is_scalar($file) || '' === $file) {
        return 0;
    }
    // `../` on its own is not allowed:
    if ('../' === $file) {
        return 1;
    }
    // More than one occurrence of `../` is not allowed:
    if (preg_match_all('#\.\./#', $file, $matches, PREG_SET_ORDER) && count($matches) > 1) {
        return 1;
    }
    // `../` which does not occur at the end of the path is not allowed:
    if (false !== strpos($file, '../') && '../' !== mb_substr($file, -3, 3)) {
        return 1;
    }
    // Files not in the allowed file list are not allowed:
    if (!empty($allowed_files) && !in_array($file, $allowed_files, true)) {
        return 3;
    }
    // Absolute Windows drive paths are not allowed:
    if (':' === substr($file, 1, 1)) {
        return 2;
    }
    return 0;
}

WordPress Version: 5.9

/**
 * Validates a file name and path against an allowed set of rules.
 *
 * A return value of `1` means the file path contains directory traversal.
 *
 * A return value of `2` means the file path contains a Windows drive path.
 *
 * A return value of `3` means the file is not in the allowed files list.
 *
 * @since 1.2.0
 *
 * @param string   $file          File path.
 * @param string[] $allowed_files Optional. Array of allowed files.
 * @return int 0 means nothing is wrong, greater than 0 means something was wrong.
 */
function validate_file($file, $allowed_files = array())
{
    if (!is_scalar($file) || '' === $file) {
        return 0;
    }
    // `../` on its own is not allowed:
    if ('../' === $file) {
        return 1;
    }
    // More than one occurrence of `../` is not allowed:
    if (preg_match_all('#\.\./#', $file, $matches, PREG_SET_ORDER) && count($matches) > 1) {
        return 1;
    }
    // `../` which does not occur at the end of the path is not allowed:
    if (false !== strpos($file, '../') && '../' !== mb_substr($file, -3, 3)) {
        return 1;
    }
    // Files not in the allowed file list are not allowed:
    if (!empty($allowed_files) && !in_array($file, $allowed_files, true)) {
        return 3;
    }
    // Absolute Windows drive paths are not allowed:
    if (':' === substr($file, 1, 1)) {
        return 2;
    }
    return 0;
}

WordPress Version: 5.5

/**
 * Validates a file name and path against an allowed set of rules.
 *
 * A return value of `1` means the file path contains directory traversal.
 *
 * A return value of `2` means the file path contains a Windows drive path.
 *
 * A return value of `3` means the file is not in the allowed files list.
 *
 * @since 1.2.0
 *
 * @param string   $file          File path.
 * @param string[] $allowed_files Optional. Array of allowed files.
 * @return int 0 means nothing is wrong, greater than 0 means something was wrong.
 */
function validate_file($file, $allowed_files = array())
{
    // `../` on its own is not allowed:
    if ('../' === $file) {
        return 1;
    }
    // More than one occurence of `../` is not allowed:
    if (preg_match_all('#\.\./#', $file, $matches, PREG_SET_ORDER) && count($matches) > 1) {
        return 1;
    }
    // `../` which does not occur at the end of the path is not allowed:
    if (false !== strpos($file, '../') && '../' !== mb_substr($file, -3, 3)) {
        return 1;
    }
    // Files not in the allowed file list are not allowed:
    if (!empty($allowed_files) && !in_array($file, $allowed_files, true)) {
        return 3;
    }
    // Absolute Windows drive paths are not allowed:
    if (':' === substr($file, 1, 1)) {
        return 2;
    }
    return 0;
}

WordPress Version: 5.4

/**
 * Validates a file name and path against an allowed set of rules.
 *
 * A return value of `1` means the file path contains directory traversal.
 *
 * A return value of `2` means the file path contains a Windows drive path.
 *
 * A return value of `3` means the file is not in the allowed files list.
 *
 * @since 1.2.0
 *
 * @param string   $file          File path.
 * @param string[] $allowed_files Optional. Array of allowed files.
 * @return int 0 means nothing is wrong, greater than 0 means something was wrong.
 */
function validate_file($file, $allowed_files = array())
{
    // `../` on its own is not allowed:
    if ('../' === $file) {
        return 1;
    }
    // More than one occurence of `../` is not allowed:
    if (preg_match_all('#\.\./#', $file, $matches, PREG_SET_ORDER) && count($matches) > 1) {
        return 1;
    }
    // `../` which does not occur at the end of the path is not allowed:
    if (false !== strpos($file, '../') && '../' !== mb_substr($file, -3, 3)) {
        return 1;
    }
    // Files not in the allowed file list are not allowed:
    if (!empty($allowed_files) && !in_array($file, $allowed_files)) {
        return 3;
    }
    // Absolute Windows drive paths are not allowed:
    if (':' == substr($file, 1, 1)) {
        return 2;
    }
    return 0;
}

WordPress Version: 4.9

/**
 * Validates a file name and path against an allowed set of rules.
 *
 * A return value of `1` means the file path contains directory traversal.
 *
 * A return value of `2` means the file path contains a Windows drive path.
 *
 * A return value of `3` means the file is not in the allowed files list.
 *
 * @since 1.2.0
 *
 * @param string $file          File path.
 * @param array  $allowed_files Optional. List of allowed files.
 * @return int 0 means nothing is wrong, greater than 0 means something was wrong.
 */
function validate_file($file, $allowed_files = array())
{
    // `../` on its own is not allowed:
    if ('../' === $file) {
        return 1;
    }
    // More than one occurence of `../` is not allowed:
    if (preg_match_all('#\.\./#', $file, $matches, PREG_SET_ORDER) && count($matches) > 1) {
        return 1;
    }
    // `../` which does not occur at the end of the path is not allowed:
    if (false !== strpos($file, '../') && '../' !== mb_substr($file, -3, 3)) {
        return 1;
    }
    // Files not in the allowed file list are not allowed:
    if (!empty($allowed_files) && !in_array($file, $allowed_files)) {
        return 3;
    }
    // Absolute Windows drive paths are not allowed:
    if (':' == substr($file, 1, 1)) {
        return 2;
    }
    return 0;
}

WordPress Version: 4.3

/**
 * File validates against allowed set of defined rules.
 *
 * A return value of '1' means that the $file contains either '..' or './'. A
 * return value of '2' means that the $file contains ':' after the first
 * character. A return value of '3' means that the file is not in the allowed
 * files list.
 *
 * @since 1.2.0
 *
 * @param string $file File path.
 * @param array  $allowed_files List of allowed files.
 * @return int 0 means nothing is wrong, greater than 0 means something was wrong.
 */
function validate_file($file, $allowed_files = '')
{
    if (false !== strpos($file, '..')) {
        return 1;
    }
    if (false !== strpos($file, './')) {
        return 1;
    }
    if (!empty($allowed_files) && !in_array($file, $allowed_files)) {
        return 3;
    }
    if (':' == substr($file, 1, 1)) {
        return 2;
    }
    return 0;
}

WordPress Version: 3.7

/**
 * File validates against allowed set of defined rules.
 *
 * A return value of '1' means that the $file contains either '..' or './'. A
 * return value of '2' means that the $file contains ':' after the first
 * character. A return value of '3' means that the file is not in the allowed
 * files list.
 *
 * @since 1.2.0
 *
 * @param string $file File path.
 * @param array $allowed_files List of allowed files.
 * @return int 0 means nothing is wrong, greater than 0 means something was wrong.
 */
function validate_file($file, $allowed_files = '')
{
    if (false !== strpos($file, '..')) {
        return 1;
    }
    if (false !== strpos($file, './')) {
        return 1;
    }
    if (!empty($allowed_files) && !in_array($file, $allowed_files)) {
        return 3;
    }
    if (':' == substr($file, 1, 1)) {
        return 2;
    }
    return 0;
}