From dda98b1dde4d0276311b4055abf557f95365d3c3 Mon Sep 17 00:00:00 2001
From: Donncha O Caoimh <5656673+donnchawp@users.noreply.github.com>
Date: Wed, 27 May 2026 16:40:36 +0100
Subject: [PATCH] Restrict supercache filename to a safe character set

Ensure the generated supercache filename is always a single, well-formed path segment regardless of what filters return.
---
 wp-cache-phase2.php | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/wp-cache-phase2.php b/wp-cache-phase2.php
index d3c5ce3d..e5ab14dd 100644
--- a/wp-cache-phase2.php
+++ b/wp-cache-phase2.php
@@ -1089,6 +1089,11 @@ function supercache_filename() {
 	if ( is_array( $cached_direct_pages ) && in_array( $_SERVER['REQUEST_URI'], $cached_direct_pages ) ) {
 		$extra_str = '';
 	}
+
+	// The filename must always be a single path segment. Filters above may
+	// return arbitrary data, so restrict it to a safe set of characters.
+	$extra_str = preg_replace( '/[^a-zA-Z0-9_-]/', '', (string) $extra_str );
+
 	$filename = 'index' . $extra_str . '.html';
 
 	return $filename;