[theme-reviewers] Theme submission fails on WARNING
Darren Slatten
darrenslatten at gmail.com
Sat Jun 25 18:24:57 UTC 2011
So would it make sense to establish a best practice (or requirement) where
themes should not (or must not) create files at all? In other words, themes
would need to ship with those files already in place, even if only to
function as placeholders to be overwritten.
Regarding the 666 permissions and Editor, why not have WP do a simple check
for unsafe permissions and alert/remind the user to change them back to a
more secure setting?
I'm just thinking out loud here.
On Sat, Jun 25, 2011 at 8:20 AM, Otto <otto at ottodestruct.com> wrote:
> On Fri, Jun 24, 2011 at 6:02 PM, Darren Slatten <darrenslatten at gmail.com>
> wrote:
> > WordPress writes data to theme files via the Appearance => Editor admin
> > panel, without requiring FTP credentials. It only requires that the file
> > being edited has '666' permissions, which I assume the user has to
> configure
> > manually.
>
> Few things about that.
>
> 1. They keep trying to remove that functionality from WordPress. I
> keep arguing for it to be left in there.
>
> 2. Writing to existing files doesn't change ownership of them.
> Creating new files as a different user leaves them with the ownership
> of the creating process, which is the main problem with creating files
> on (non-setuid) shared hosting.
>
> 3. Files having 666 permissions is dangerous as hell too. It is not
> recommended. Standard permissions in WP are 644 for files and 755 for
> directories, as we state on the codex.
>
> 4. If a site is using setuid methods (like I described in the previous
> email), then that editor doesn't require 666 permissions. It works
> perfectly happily with 644 perms.
>
> -Otto
> _______________________________________________
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20110625/bf57524a/attachment.htm>
More information about the theme-reviewers
mailing list