[wp-trac] [WordPress Trac] #44706: Latest 4.9.7 wp_delete_attachment() security patch breaks deletion on 3rd party storage

WordPress Trac noreply at wordpress.org
Thu Aug 2 15:53:09 UTC 2018


#44706: Latest 4.9.7 wp_delete_attachment() security patch breaks deletion on 3rd
party storage
----------------------------+-----------------------------
 Reporter:  l3rady          |      Owner:  (none)
     Type:  defect (bug)    |     Status:  new
 Priority:  normal          |  Milestone:  Awaiting Review
Component:  Filesystem API  |    Version:  4.9.7
 Severity:  normal          |   Keywords:
  Focuses:                  |
----------------------------+-----------------------------
 We use AWS S3 to offload and store uploads on.

 Previously we would hook into the `wp_delete_file` filter see what files
 need deleting and then delete the files from the S3 bucket.

 The new security patch checks if the files exist on the local filesystem
 first and are in the right directory before even attempting to delete the
 files and subsequently firing the `wp_delete_file` filter. As our files
 are on a remote filesystem and not local, WordPress cannot see them
 locally and then doesn't attempt to delete the files. WordPress happily
 removes the record from the database but then leaves the files on S3.

 The way it has been patched means that now we have to hook
 `delete_attachment` instead and reimplement a lot of code WordPress
 already has due to a lack of filters and actions around this patch.

 would it be possible to put in a filter around the check for file
 existence so we can override the result by checking S3 if the file is
 there and then feeding that back to WordPress to allow the delete to
 happen?

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/44706>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list