[wp-trac] [WordPress Trac] #48316: Changeset 46482 breaks upload when using ".." in upload_path.
WordPress Trac
noreply at wordpress.org
Tue Nov 26 19:13:48 UTC 2019
#48316: Changeset 46482 breaks upload when using ".." in upload_path.
----------------------------+------------------------------
Reporter: xpoon | Owner: (none)
Type: defect (bug) | Status: reopened
Priority: normal | Milestone: Awaiting Review
Component: Filesystem API | Version: 5.2.4
Severity: normal | Resolution:
Keywords: | Focuses:
----------------------------+------------------------------
Comment (by xpoon):
To be honest, I don't think we should commit a rushed solution just so me
and you, @mpcube, can get our sites working. I have deployed temporary
workarounds for about 100k sites, so I'm fine for a while.
If more people are affected by this though, I think we should consider
rolling back the inital change and make a better implementation with some
kind of "trusted paths" in where path traversals are allowed, like
suggested before. But as I don't know whether this change was made to fix
some critical vulnerability or just because it's best practice to do it
this way, I can't know if rolling back is an actual option or not.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/48316#comment:30>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list