Filesystem: Normalize allowed_files so comparison is apples to apples.

In [58470] a change was made to normalize the filename in validate_file, however this leads to instances where the list of files that are allowed aren't normalized such as in the theme editor. By normalizing the array, the comparison is apples to apples.

Reviewed by hellofromTonya.
Merges 58570 to the 6.5 branch.

Fixes #61488.
Props jorbin, hellofromtonya, swissspidy, misulicus, script2see, Presskopp, audrasjb, peterwilsoncc, siliconforks, littler.chicken, paulkevan,


git-svn-id: https://develop.svn.wordpress.org/branches/6.5@58808 602fd350-edb4-49c9-b593-d223f7449a82

Author: aaronjorbin

src/wp-includes/functions.php

@@ -6192,8 +6192,10 @@ function validate_file( $file, $allowed_files = array() ) {
 		return 0;
 	}
 
-	// Normalize path for Windows servers
+	// Normalize path for Windows servers.
 	$file = wp_normalize_path( $file );
+	// Normalize path for $allowed_files as well so it's an apples to apples comparison.
+	$allowed_files = array_map( 'wp_normalize_path', $allowed_files );
 
 	// `../` on its own is not allowed:
 	if ( '../' === $file ) {

tests/phpunit/tests/functions.php

@@ -1793,6 +1793,7 @@ static function ( $mimes ) use ( $woff_mime_type ) {
 	 * Test file path validation
 	 *
 	 * @ticket 42016
+	 * @ticket 61488
 	 * @dataProvider data_validate_file
 	 *
 	 * @param string $file          File path.
@@ -1913,6 +1914,13 @@ public function data_validate_file() {
 				2,
 			),
 
+			// Windows Path with allowed file
+			array(
+				'Apache24\htdocs\wordpress/wp-content/themes/twentyten/style.css',
+				array( 'Apache24\htdocs\wordpress/wp-content/themes/twentyten/style.css' ),
+				0,
+			),
+
 			// Disallowed files:
 			array(
 				'foo.ext',