[wp-trac] [WordPress Trac] #48316: Changeset 46482 breaks upload when using ".." in upload_path.
WordPress Trac
noreply at wordpress.org
Thu Nov 7 08:23:50 UTC 2019
#48316: Changeset 46482 breaks upload when using ".." in upload_path.
----------------------------+------------------------------
Reporter: xpoon | Owner: (none)
Type: defect (bug) | Status: reopened
Priority: normal | Milestone: Awaiting Review
Component: Filesystem API | Version: trunk
Severity: major | Resolution:
Keywords: | Focuses:
----------------------------+------------------------------
Comment (by xpoon):
That sounds reasonable. If we would resolve just "trusted" paths, the
question is where to put the code. This might apply to more places than
just the one you mention, for example when the upload path is defined as a
database option.
One way might be to create a wp_realpath() that you can use to resolve
paths that you know are not containing user input.
Another way might be to have a parameter (allow_path_traversals) in
wp_mkdir_p.
I guess the first alternative would be the best as you get more control of
what path is being resolved.
I also agree that this would be easier to discuss if the reasons for
[46482] where known.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/48316#comment:21>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list