[wp-hackers] Backup plugin and writability
Scott Merrill
skippy at skippy.net
Sun Jan 8 19:23:25 GMT 2006
Elliotte Harold wrote:
> Scott Merrill wrote:
>
>>> 1. Why is it trying to writing anything to /var/www/cafe/?
>>> /var/www/cafe/wp-content/backup-05ad9/ I understand, but /var/www/cafe
>>> shouldn't need to be written.
>>
>>
>> It's checking whether it can create the directory it needs.
>
>
> Then why doesn't the message mention /var/www/cafe/wp-content instead of
> /var/www/cafe ?
I can't answer this one, as these changes were put in by Matt.
>>> 2. Why isn't it using /usr/tmp for temporary files like a good Unix
>>> program?
>>
>>
>> WordPress is not a good UNIX program, it's a web-based application. It
>> might be running on Windows, in which case /usr/tmp is a bogus value.
>>
>
> Java has a platform independent means of finding the temporary files
> directory and creating a temporary file. Does PHP? Even if it doesn't it
> shouldn't be that hard to figure out if we're on Unix or Windows and
> choose the temporary directory accordingly.
Using a system-wide temporary directory is probably a bad idea, since
the database contains password hashes, non-public email addresses, and
possibly unpublished posts which should remain private.
The backup should be considered private, and as such should not be
spooled to any publicly accessibly directories. Yes, I realize that the
instructions in my original plugin did encourage people to relax
permissions on their /wp-content/backup/ directory, but that was mostly
due to problems with various hosting providers. Matt's modifications to
use /backup-<hash>/ help obfuscate the backup directory from casual
snooping.
--
skippy at skippy.net | http://skippy.net/
gpg --keyserver pgp.mit.edu --recv-keys 9CFA4B35
506C F8BB 17AE 8A05 0B49 3544 476A 7DEC 9CFA 4B35
More information about the wp-hackers
mailing list