From afc2b737b9ad939f0c687b53824dfbdabf241e1c Mon Sep 17 00:00:00 2001
From: Ryan Boren <ryan@git.wordpress.org>
Date: Wed, 8 Apr 2009 18:34:46 +0000
Subject: [PATCH] Require active plugin files to end in .php. Props hakre.
 fixes #9406

git-svn-id: https://develop.svn.wordpress.org/trunk@10892 602fd350-edb4-49c9-b593-d223f7449a82
---
 wp-settings.php | 22 ++++++++++++++--------
 1 file changed, 14 insertions(+), 8 deletions(-)

diff --git a/wp-settings.php b/wp-settings.php
index 38ea27f888..83aa03192e 100644
--- a/wp-settings.php
+++ b/wp-settings.php
@@ -512,16 +512,22 @@ if ( get_option('hack_file') ) {
 		require(ABSPATH . 'my-hacks.php');
 }
 
-if ( get_option('active_plugins') && !defined('WP_INSTALLING') ) {
-	$current_plugins = get_option('active_plugins');
-	if ( is_array($current_plugins) ) {
-		foreach ( $current_plugins as $plugin ) {
-			if ( '' != $plugin && 0 == validate_file($plugin) && file_exists(WP_PLUGIN_DIR . '/' . $plugin) )
-				include_once(WP_PLUGIN_DIR . '/' . $plugin);
-		}
-		unset($plugin);
+$current_plugins = get_option('active_plugins');
+if ( is_array($current_plugins) && !defined('WP_INSTALLING') ) {
+	foreach ( $current_plugins as $plugin ) {
+		// check the $plugin filename
+		// Validate plugin filename
+		if ( validate_file($plugin) // $plugin must validate as file
+			|| '.php' != substr($plugin, -4) // $plugin must end with '.php'
+			|| !file_exists(WP_PLUGIN_DIR . '/' . $plugin)	// $plugin must exist
+			)
+			continue;
+
+		include_once(WP_PLUGIN_DIR . '/' . $plugin);
 	}
+	unset($plugin);
 }
+unset($current_plugins);
 
 require (ABSPATH . WPINC . '/pluggable.php');