[wp-trac] [WordPress Trac] #10423: get_filesystem_method() uses uses wrong owner for validation
WordPress Trac
wp-trac at lists.automattic.com
Thu Jul 16 11:09:48 UTC 2009
#10423: get_filesystem_method() uses uses wrong owner for validation
-----------------------------+----------------------------------------------
Reporter: cyberspice | Owner: dd32
Type: defect (bug) | Status: new
Priority: normal | Milestone: Unassigned
Component: Upgrade/Install | Version: 2.8.1
Severity: normal | Keywords: Upgrade close
-----------------------------+----------------------------------------------
Changes (by dd32):
* keywords: Upgrade => Upgrade close
Comment:
> This is a potential security risk.
Can you explain that a bit further before i just close this as duplicate
and refer you to the previous tickets/explanations?
> The Wordpress files can be owned by someone else and the update system
works as long as the webserver has permissions to write.
If that was the intended direction, I'd have just used an is_writable()
call.
The intended aim of that code, Is that if the owner of the Created files,
Differs from that of the currently running process then to NOT use the
direct setup, due to the created files being owned by someone other than
the actual user.
Another way that code could be written which may work on more hosts is:
{{{
if ( file_owner($temp_file) !== false && file_owner(__FILE__) ===
file_owner($temp_file) ) {
//use direct
}
}}}
but that would NOT cause the direct setup to be used in your situation
either..
the usage of {{{getmyuid()}}} was used to replace
{{{fileowner(__FILE__)}}} basically.
Still tempted to close as duplicate, but might be worth changing the code,
or at least adding a comment that its the intended code..
--
Ticket URL: <http://core.trac.wordpress.org/ticket/10423#comment:1>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list