[wp-trac] [WordPress Trac] #48316: Changeset 46482 breaks upload when using ".." in upload_path.
WordPress Trac
noreply at wordpress.org
Sun Nov 24 01:33:35 UTC 2019
#48316: Changeset 46482 breaks upload when using ".." in upload_path.
----------------------------+------------------------------
Reporter: xpoon | Owner: (none)
Type: defect (bug) | Status: reopened
Priority: normal | Milestone: Awaiting Review
Component: Filesystem API | Version: 5.2.4
Severity: major | Resolution:
Keywords: | Focuses:
----------------------------+------------------------------
Comment (by peterwilsoncc):
`realpath()` doesn’t work for cases in which WordPress needs to create the
directory before using it. The function only works for existing
directories.
I like the idea of trusted and untrusted paths if trusted paths are
''limited to paths defined in wp-config.php'' constants. Determining if
the value is trustworthy would need to happen during bootstrapping to
allow for constants defined via options if they’re not set.
Before going down this path, I’d like to check in for some historical
context with members of the WordPress security team.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/48316#comment:25>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list