[wp-trac] [WordPress Trac] #48316: Changeset 46482 breaks upload when using ".." in upload_path.

WordPress Trac noreply at wordpress.org
Tue Oct 15 21:08:33 UTC 2019 

#48316: Changeset 46482 breaks upload when using ".." in upload_path.
----------------------------+---------------------
 Reporter:  xpoon           |       Owner:  (none)
     Type:  defect (bug)    |      Status:  new
 Priority:  normal          |   Milestone:  5.2.5
Component:  Filesystem API  |     Version:  trunk
 Severity:  major           |  Resolution:
 Keywords:                  |     Focuses:
----------------------------+---------------------
Changes (by SergeyBiryukov):

 * milestone:  Awaiting Review => 5.2.5


Old description:

> Hi,
>
> We just found out that changeset 46482
> ([https://core.trac.wordpress.org/changeset/46482/]) in the latest
> WordPress 5.2.4 broke a huge number of our customer's sites (tens or
> thousands).
>
> We uses a separate subdomain as upload directory. This is done by
> changing the option "upload_path" to "../../media.example.com/www/" (and
> "upload_url_path" to "http://media.example.com").
>
> This change means that new directories (for example "./2019/10/") can't
> be created, which breaks the entire upload functionality.
>
> If this changeset fixed some critical vulnerability which can't be fixed
> another way or if we are the only ones utilizing this feature, so be it.
> Otherwise this change might have to be reverted and reimplemented some
> other way.

New description:

 Hi,

 We just found out that changeset [46482] in the latest WordPress 5.2.4
 broke a huge number of our customer's sites (tens or thousands).

 We uses a separate subdomain as upload directory. This is done by changing
 the option "upload_path" to "../../media.example.com/www/" (and
 "upload_url_path" to "http://media.example.com").

 This change means that new directories (for example "./2019/10/") can't be
 created, which breaks the entire upload functionality.

 If this changeset fixed some critical vulnerability which can't be fixed
 another way or if we are the only ones utilizing this feature, so be it.
 Otherwise this change might have to be reverted and reimplemented some
 other way.

--

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/48316#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list