[wp-trac] [WordPress Trac] #48316: Changeset 46482 breaks upload when using ".." in upload_path.

WordPress Trac noreply at wordpress.org
Thu Nov 7 08:23:50 UTC 2019


#48316: Changeset 46482 breaks upload when using ".." in upload_path.
----------------------------+------------------------------
 Reporter:  xpoon           |       Owner:  (none)
     Type:  defect (bug)    |      Status:  reopened
 Priority:  normal          |   Milestone:  Awaiting Review
Component:  Filesystem API  |     Version:  trunk
 Severity:  major           |  Resolution:
 Keywords:                  |     Focuses:
----------------------------+------------------------------

Comment (by xpoon):

 That sounds reasonable. If we would resolve just "trusted" paths, the
 question is where to put the code. This might apply to more places than
 just the one you mention, for example when the upload path is defined as a
 database option.

 One way might be to create a wp_realpath() that you can use to resolve
 paths that you know are not containing user input.

 Another way might be to have a parameter (allow_path_traversals) in
 wp_mkdir_p.

 I guess the first alternative would be the best as you get more control of
 what path is being resolved.

 I also agree that this would be easier to discuss if the reasons for
 [46482] where known.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/48316#comment:21>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list