[wp-trac] [WordPress Trac] #42986: Insert default filters to wp_delete_file to don't delete core files.

WordPress Trac noreply at wordpress.org
Tue Jan 9 04:48:27 UTC 2018


#42986: Insert default filters to wp_delete_file to don't delete core files.
-------------------------+----------------------
 Reporter:  lenon        |       Owner:
     Type:  enhancement  |      Status:  closed
 Priority:  normal       |   Milestone:
Component:  Media        |     Version:  4.9.1
 Severity:  normal       |  Resolution:  wontfix
 Keywords:               |     Focuses:
-------------------------+----------------------
Changes (by dd32):

 * status:  new => closed
 * resolution:   => wontfix
 * milestone:  Awaiting Review =>


Comment:

 Hey @lenon and welcome to Trac.

 Thanks for submitting this, however, this doesn't seem like something
 which is needed in WordPress.

 My issues with this is:
  * Plugins could bypass this by using `unlink()` directly
  * We can't enforce plugins to use `wp_delete_file()`
  * We can't prevent plugins from using `unlink()`.
  * Plugins should not allow deletion of arbitrary files, if a plugin
 allows for `wp_delete_file()` to be passed `ABSPATH` it's not sanitizing
 it's input correctly.

 I'm going to close this as `wontfix`, however, you can still reply and we
 can re-open it if you can explain the benefits of adding this.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/42986#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list