[wp-trac] [WordPress Trac] #36710: Symlinked directories should not be deleted recursively

WordPress Trac noreply at wordpress.org
Tue Oct 10 13:46:05 UTC 2017


#36710: Symlinked directories should not be deleted recursively
------------------------------------+-----------------------------
 Reporter:  andy                    |       Owner:
     Type:  defect (bug)            |      Status:  new
 Priority:  normal                  |   Milestone:  Future Release
Component:  Filesystem API          |     Version:
 Severity:  major                   |  Resolution:
 Keywords:  has-patch dev-feedback  |     Focuses:  administration
------------------------------------+-----------------------------
Changes (by Dreamsorcerer):

 * severity:  normal => major


Comment:

 This is actually a fairly serious security flaw as well, e.g. if a plugin
 author puts a symlink in their plugin, and get it uploaded to the plugin
 repository.

 If the plugin includes a symlink pointing to '../../..', then WP will
 recursively delete itself. I've tested this with a symlink to
 '../../themes' and WP successfully deleted all the themes while trying to
 upgrade the plugin. If the server is really poorly configured, then a
 symlink to '/' or similar might even be able to wipe out the whole server.

 What's worse, is even if the plugin author managed to do something like
 this accidentally, and later realised their mistake, there would be no way
 for them to fix it. Providing any update at all to the plugin repository
 would trigger the deletion.

 Attached is a patch which fixes the bug while also closing this security
 hole.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/36710#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list