[wp-trac] [WordPress Trac] #33480: After upgrade to 4.3 unable to update plugins.

Fri Aug 21 06:20:15 UTC 2015

#33480: After upgrade to 4.3 unable to update plugins.
-----------------------------+-----------------------------
 Reporter:  jobst            |       Owner:
     Type:  defect (bug)     |      Status:  new
 Priority:  normal           |   Milestone:  4.3.1
Component:  Upgrade/Install  |     Version:  4.3
 Severity:  major            |  Resolution:
 Keywords:  needs-patch      |     Focuses:  administration
-----------------------------+-----------------------------

Comment (by jobst):

 Found it, it is a permission problem BUT it is an oversight of the person
 who wrote the changes of the update part of plugins for 4.3.

 I first compared the two versions (4.2.4 and 4.3) to find out whether
 there are any differences at that part of the code - there are lots, the
 way a deletion is treated is very different:

   4.2.4 uses $wp_filesystem->delete

 while

   4.3 uses $this->clear_destination()

 $this->clear_destination() has a vital flaw, it assumes the file owner and
 group are the same, meaning the group user running apache and the user
 owning/editing the file are the same, e.g.:

 {{{
 -rw-r--r--  1 nobody nobody 17333 Apr 30 11:30 tinymce-advanced.php
 -rw-r--r--  1 nobody nobody   535 Apr 30 11:31 uninstall.php
 [root SOME_PATH/wp-content/plugins/tinymce-advanced] #>
 }}}

 That is totally insecure (especially in a world of CMS'es with badly
 written plugins/extensions), so my setup is:

 {{{
 -rw-r--r--  1 SOMEUSER nobody 17333 Apr 30 11:30 tinymce-advanced.php
 -rw-r--r--  1 SOMEUSER nobody   535 Apr 30 11:31 uninstall.php
 [root SOME_PATH/wp-content/plugins/tinymce-advanced] #>
 }}}

 In my case (and I am sure for many other secure/safety conscious admins)
 the user doing the FTP/SSH2 stuff is the same user that owns the file
 (above called SOMEUSER) NOT nobody (the user running apache).

 The real issue is $this->clear_destination uses "is_writable/is_writeable"
 which is a PHP function running in the context of the user running apache
 (nobody in the case above), so obviously the files are NOT writeable and
 never should be!

 The ONLY 2 directories open for the user running apache "nobody" should be
 "SOME_PATH/wp-content/uploads"  and "SOME_PATH/wp-content/upgrade", which
 in my case both have the correct permissions.

 Hope this helps.
 Jobst

 Replying to [comment:4 dd32]:
 > Replying to [comment:3 jobst]:
 > > Can you give me some more info in which file is_writable() is located,
 please.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/33480#comment:5>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform