[wp-trac] [WordPress Trac] #48316: Changeset 46482 breaks upload when using ".." in upload_path.
WordPress Trac
noreply at wordpress.org
Thu Oct 24 03:03:02 UTC 2019
#48316: Changeset 46482 breaks upload when using ".." in upload_path.
----------------------------+-----------------------
Reporter: xpoon | Owner: (none)
Type: defect (bug) | Status: reopened
Priority: normal | Milestone:
Component: Filesystem API | Version: trunk
Severity: major | Resolution:
Keywords: | Focuses:
----------------------------+-----------------------
Changes (by DreadLox):
* status: closed => reopened
* resolution: wontfix =>
Comment:
This workaround works but I think it just make the security fix useless:
{{{#!php
<?php
/** Absolute path to the WordPress directory. */
if ( ! defined( 'ABSPATH' ) ) {
define( 'ABSPATH', dirname( __FILE__ ) . '/' );
}
/** WPINC is not set yet **/
/** require_once( ABSPATH . WPINC . '/plugin.php' ); **/
require_once( ABSPATH . 'wp-includes' . '/plugin.php' );
add_filter( 'upload_dir', function ( $upload_dir ) {
$prev_basedir = $upload_dir['basedir'];
$upload_dir['basedir'] = realpath( $upload_dir['basedir'] );
$upload_dir['path'] = str_replace( $prev_basedir,
$upload_dir['basedir'], $upload_dir['path'] );
return $upload_dir;
} );
/** Sets up WordPress vars and included files. */
require_once( ABSPATH . 'wp-settings.php' );
}}}
I am reopening because I think the security fix should be improved to
check if the file path points to a file being in a base dir, that could be
the directory of index.php by default but can be configured or filtered.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/48316#comment:11>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list