[wp-trac] [WordPress Trac] #48369: Uploaded media files created with incorrect permissions if directory set to 751.

WordPress Trac noreply at wordpress.org
Fri Oct 18 17:20:11 UTC 2019 

#48369: Uploaded media files created with incorrect permissions if directory set to
751.
----------------------------+-----------------------------
 Reporter:  jonathangilpin  |      Owner:  (none)
     Type:  defect (bug)    |     Status:  new
 Priority:  normal          |  Milestone:  Awaiting Review
Component:  General         |    Version:  5.2.3
 Severity:  normal          |   Keywords:
  Focuses:                  |
----------------------------+-----------------------------
 I discovered a very strange issue.. Files uploaded in the Media Library
 are having permissions set of 640 instead of 644.

 I’ve tried setting a umask in the wp-config.php file, eg
 define(‘FS_CHMOD_FILE’,0644);

 This seems to have no effect.
 Strangely, there are a number of wordpress sites on this box. Only 2 of
 these have this issue and the others all work fine and set the permissions
 to 644.

 I have uploaded a simple PHP upload script to see if this is a PHP issue,
 but using the simple upload script the permissions are set to 644.. So I’m
 sure this is a wordpress issue.

 I’ve then re-installed wordpress in the Admin interface, this didnt make
 any difference, I’m running 5.2.4 – the latest, I don’t think we had this
 issue before the last update but I cannot be 100% sure of that..

 After digging in File.php I added some debug code:

 // Set correct file permissions.
 $stat = stat( dirname( $new_file ) );
 error_log(“JSG: STAT MODE $stat[mode]”); // new line
 $perms = $stat[‘mode’] & 0000666;
 error_log(“JSG: $perms”); // new line

 [18-Oct-2019 15:18:13 UTC] JSG: STAT MODE 16873
 [18-Oct-2019 15:18:13 UTC] JSG: 416 <– this is bad right?

 On another site which works fine with the same debug code I have:

 DRT JSG: STAT MODE 16877
 DRT JSG: 420

 This made me look at the code and realise the issue.. If the DIR is set to
 751, then the permissions on uploaded files are changed to 640.. but if
 the dir is 755 the permissions are set to 644..

 Having permission of 751 is acceptable from a security point of view
 because the server does only needs to excuse permission on the dir to
 access the files within it.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/48369>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list