[wp-trac] [WordPress Trac] #17227: wp should work around bug in move_uploaded_file for tighter security
WordPress Trac
wp-trac at lists.automattic.com
Sun Apr 24 00:44:04 UTC 2011
#17227: wp should work around bug in move_uploaded_file for tighter security
--------------------------+------------------------------
Reporter: chrishecker | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version:
Severity: normal | Resolution:
Keywords: |
--------------------------+------------------------------
Comment (by dd32):
IMO, We can probably ignore the sticky bit, and attempt to set the group
to that of the uploads directory in all attempts.
PHP's chgrp() command can only change the group to group's it's within,
the uploads directory should be either a directory created by apache (and
therefor, default group), or a directory created by the user (the users
group). If it's the first case, we don't gain anything. If it's the second
case, we no longer need the uploads directory to be world-readable.. which
could increase security.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/17227#comment:1>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list