When WP-CLI is run without an explicit --path flag, it traverses upward from the current working directory searching for a WordPress installation. For each directory that contains an index.php file, it calls extract_subdir_path(). This function attempts to read the file and uses a regular expression to find the path expression in the require(...) line (typically pointing to wp-blog-header.php). The extracted content is then passed directly to PHP eval() to resolve the path, which can lead to unexpected side-effects.
- Replace
eval() with Safe Parsing: Rewrite extract_subdir_path() to avoid eval(). Instead, use a strict regular expression to parse the path.
- Strict Allowlist: The parser should only allow safe path characters and simple, common string constants (like
__DIR__ or dirname(__FILE__)) and basic string concatenation. Any complex expressions or function calls in the require statement should cause the extraction to fail safely rather than being executed.
When WP-CLI is run without an explicit
--pathflag, it traverses upward from the current working directory searching for a WordPress installation. For each directory that contains anindex.phpfile, it callsextract_subdir_path(). This function attempts to read the file and uses a regular expression to find the path expression in therequire(...)line (typically pointing towp-blog-header.php). The extracted content is then passed directly to PHPeval()to resolve the path, which can lead to unexpected side-effects.eval()with Safe Parsing: Rewriteextract_subdir_path()to avoideval(). Instead, use a strict regular expression to parse the path.__DIR__ordirname(__FILE__)) and basic string concatenation. Any complex expressions or function calls in therequirestatement should cause the extraction to fail safely rather than being executed.