[wp-trac] [WordPress Trac] #17227: wp should work around bug in move_uploaded_file for tighter security

WordPress Trac wp-trac at lists.automattic.com
Sun Apr 24 00:28:51 UTC 2011


#17227: wp should work around bug in move_uploaded_file for tighter security
--------------------------+-----------------------------
 Reporter:  chrishecker   |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Security      |    Version:
 Severity:  normal        |   Keywords:
--------------------------+-----------------------------
 Andrew Nacin said I should put this in a new ticket so others can weigh
 in.  Here's the email with the description:

 Hey guys, so I'm trying to harden up (!) my wordpress installation, and
 the whole world-writable wp-content/uploads thing is avoidable by creating
 a group that includes me and apache (call it "checkersites"), and making
 wp-content/uploads et al group writable, group checkersites, and the
 directories group sticky.  So, any new directories and files created are
 group checkersites so I can toast them, even though apache is the owner.

 However, there's a bug in php's move_uploaded_file that it doesn't obey
 the directory group sticky bit, so any files uploaded and run through
 move_uploaded_file are apache:apache, which then breaks everything with
 this scheme (meaning, the files still work, but now I can't modify the
 them without su'ing, etc.).  This has been recorded on the php docs for
 move_uploaded_files since 2008  ([http://www.php.net/manual/en/function
 .move-uploaded-file.php#85149 note here]), so it looks like they just
 don't care. I was thinking about patching wordpress to work around this by
 checking if the destination directory's group sticky bit is set and
 changing the group to that if so.  Would you guys be interested in the
 patch?

 As far as I can tell, this is the only thing that forces non-root users to
 make directories world writable (or even readable, assuming the admin will
 set up the shared group for them).  Seems like it's worth fixing.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/17227>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list