Filesystem API: Don't attempt to extract invalid files from a zip when using the PclZip library.

johnbillion · johnbillion · commit 65ce791d78e6 · 2026-03-11T13:32:39.000Z
This brings the handling inline with the same guard condition in _unzip_file_ziparchive() with ZipArchive. Merges [61887] into the 6.9 branch. Props johnbillion, peterwilsoncc, xknown. git-svn-id: https://develop.svn.wordpress.org/branches/6.9@61935 602fd350-edb4-49c9-b593-d223f7449a82
diff --git a/src/wp-admin/includes/file.php b/src/wp-admin/includes/file.php
@@ -1901,6 +1901,11 @@ function _unzip_file_pclzip( $file, $to, $needed_dirs = array() ) {
 			continue;
 		}
 
+		// Don't extract invalid files:
+		if ( 0 !== validate_file( $file['filename'] ) ) {
+			continue;
+		}
+
 		$uncompressed_size += $file['size'];
 
 		$needed_dirs[] = $to . untrailingslashit( $file['folder'] ? $file['filename'] : dirname( $file['filename'] ) );
