[wp-trac] [WordPress Trac] #36710: Symlinked directories should not be deleted recursively
WordPress Trac
noreply at wordpress.org
Tue Oct 10 21:57:04 UTC 2017
#36710: Symlinked directories should not be deleted recursively
------------------------------------+-----------------------------
Reporter: andy | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Future Release
Component: Filesystem API | Version:
Severity: major | Resolution:
Keywords: has-patch dev-feedback | Focuses: administration
------------------------------------+-----------------------------
Comment (by Otto42):
Replying to [comment:4 Dreamsorcerer]:
> This is actually a fairly serious security flaw as well, e.g. if a
plugin author puts a symlink in their plugin, and get it uploaded to the
plugin repository.
The plugin/theme repository generates its own ZIP files, it doesn't take
them as given from the original uploader. Even if they were able to get a
symlink into the SVNs, the symlink would not be put in the resulting ZIP
file that is generated by WordPress.org to be sent to end-users, because
we do not include the necessary parameters to the "zip" program to allow
it to include such symlinks in the resulting ZIP files.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/36710#comment:5>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list