Update src/WP_CLI/CommandWithUpgrade.php

swissspidy · Copilot · web-flow · commit 9f699f16bcb5 · 2026-01-19T17:18:59.000+01:00
Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;
diff --git a/src/WP_CLI/CommandWithUpgrade.php b/src/WP_CLI/CommandWithUpgrade.php
@@ -364,6 +364,8 @@ protected function install_from_php_file( $url, $assoc_args ) {
 		$filename = Utils\basename( $url_path );
 
 		// Validate the filename doesn't contain directory separators or relative path components.
+		// Note: Utils\basename() already strips directory components (including ".."), so this check
+		// is primarily a defense-in-depth safeguard in case its behavior changes or is bypassed.
 		if ( strpos( $filename, '/' ) !== false || strpos( $filename, '\\' ) !== false || strpos( $filename, '..' ) !== false ) {
 			return new WP_Error( 'invalid_filename', 'The filename contains invalid path components.' );
 		}

Original file line number	Diff line number	Diff line change
`@@ -364,6 +364,8 @@ protected function install_from_php_file( $url, $assoc_args ) {`
`364`	`364`	`$filename = Utils\basename( $url_path );`
`365`	`365`
`366`	`366`	`// Validate the filename doesn't contain directory separators or relative path components.`
	`367`	`+ // Note: Utils\basename() already strips directory components (including ".."), so this check`
	`368`	`+ // is primarily a defense-in-depth safeguard in case its behavior changes or is bypassed.`
`367`	`369`	`if ( strpos( $filename, '/' ) !== false \|\| strpos( $filename, '\\' ) !== false \|\| strpos( $filename, '..' ) !== false ) {`
`368`	`370`	`return new WP_Error( 'invalid_filename', 'The filename contains invalid path components.' );`
`369`	`371`	`}`