[wp-trac] [WordPress Trac] #10423: get_filesystem_method() uses uses wrong owner for validation
WordPress Trac
wp-trac at lists.automattic.com
Thu Jul 16 10:58:23 UTC 2009
#10423: get_filesystem_method() uses uses wrong owner for validation
-----------------------------+----------------------------------------------
Reporter: cyberspice | Owner: dd32
Type: defect (bug) | Status: new
Priority: normal | Milestone: Unassigned
Component: Upgrade/Install | Version: 2.8.1
Severity: normal | Keywords: Upgrade
-----------------------------+----------------------------------------------
The function get_filesystem_method() creates a temporary file and then
checks the ownership comparing it with the result of getmyuid().
getmyuid() does not return the owner of the web server process but of the
file calling getmyid(). In this case wp-admin/includes/file.php. This
means that in order to support automatic update the Wordpress files have
to be own by the same process as the webserver regardless of permissions
on the files. This is a potential security risk.
If posix_getiud() is used where available then the owner of the webserver
process is compared to the ownership of the temp file. The Wordpress
files can be owned by someone else and the update system works as long as
the webserver has permissions to write.
I have written more about this (together with a fix) in my bog.
[http://www.cyberspice.org.uk/blog/2009/07/15/wordpress-automatic-update-
bug/]
--
Ticket URL: <http://core.trac.wordpress.org/ticket/10423>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list