[wp-trac] [WordPress Trac] #15134: WordPress should not try to remove theme's or plugin's directory recursively if the directory is a symlink
WordPress Trac
noreply at wordpress.org
Tue Oct 10 13:35:32 UTC 2017
#15134: WordPress should not try to remove theme's or plugin's directory
recursively if the directory is a symlink
---------------------------------+------------------------------
Reporter: vladimir_kolesnikov | Owner: dd32
Type: defect (bug) | Status: reopened
Priority: normal | Milestone: Awaiting Review
Component: Upgrade/Install | Version:
Severity: major | Resolution:
Keywords: has-patch | Focuses:
---------------------------------+------------------------------
Changes (by Dreamsorcerer):
* severity: normal => major
Comment:
This is actually a fairly serious security flaw as well, e.g. if a plugin
author puts a symlink in their plugin, and get it uploaded to the plugin
repository.
If the plugin includes a symlink pointing to '../../..', then WP will
recursively delete itself. I've tested this with a symlink to
'../../themes' and WP successfully deleted all the themes while trying to
upgrade the plugin. If the server is really poorly configured, then a
symlink to '/' or similar might even be able to wipe out the whole server.
What's worse, is even if the plugin author managed to do something like
this accidentally, and later realised their mistake, there would be no way
for them to fix it. Providing any update at all to the plugin repository
would trigger the deletion.
Attached is a patch which fixes the bug while also closing this security
hole.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/15134#comment:17>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list