[wp-trac] [WordPress Trac] #17227: wp should work around bug in move_uploaded_file for tighter security
WordPress Trac
wp-trac at lists.automattic.com
Sun Apr 24 00:28:51 UTC 2011
#17227: wp should work around bug in move_uploaded_file for tighter security
--------------------------+-----------------------------
Reporter: chrishecker | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version:
Severity: normal | Keywords:
--------------------------+-----------------------------
Andrew Nacin said I should put this in a new ticket so others can weigh
in. Here's the email with the description:
Hey guys, so I'm trying to harden up (!) my wordpress installation, and
the whole world-writable wp-content/uploads thing is avoidable by creating
a group that includes me and apache (call it "checkersites"), and making
wp-content/uploads et al group writable, group checkersites, and the
directories group sticky. So, any new directories and files created are
group checkersites so I can toast them, even though apache is the owner.
However, there's a bug in php's move_uploaded_file that it doesn't obey
the directory group sticky bit, so any files uploaded and run through
move_uploaded_file are apache:apache, which then breaks everything with
this scheme (meaning, the files still work, but now I can't modify the
them without su'ing, etc.). This has been recorded on the php docs for
move_uploaded_files since 2008 ([http://www.php.net/manual/en/function
.move-uploaded-file.php#85149 note here]), so it looks like they just
don't care. I was thinking about patching wordpress to work around this by
checking if the destination directory's group sticky bit is set and
changing the group to that if so. Would you guys be interested in the
patch?
As far as I can tell, this is the only thing that forces non-root users to
make directories world writable (or even readable, assuming the admin will
set up the shared group for them). Seems like it's worth fixing.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/17227>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list