[wp-trac] [WordPress Trac] #49440: Allow configuring the upgrade directory
WordPress Trac
noreply at wordpress.org
Wed Sep 16 19:13:48 UTC 2020
#49440: Allow configuring the upgrade directory
-----------------------------+------------------------------------------
Reporter: natesymer | Owner: (none)
Type: feature request | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Upgrade/Install | Version:
Severity: normal | Resolution:
Keywords: | Focuses: administration, performance
-----------------------------+------------------------------------------
Comment (by wpe_bdurette):
At WP Engine we lock down most of the filesystem outside of the webroot
(though `/tmp` is available). This makes me worry a little bit about the
customer experience of sites migrating onto our platform that have
settings/code to override this directory to a path that's not usable on
our system. For this not to cause breakage, we would have to override that
setting with a value that works on our platform. This isn't a problem per
se, but having some lead time what filter needs to be put in place ahead
of a rollout so that we can pre-deploy such a filter in an mu-plugin would
be appreciated and reduce customer pain.
Also, the security implications of allowing writes to `/tmp` for this
purpose are interesting from the perspective of shared hosting. If the
subpaths under `/tmp` are fixed/guessable, then this opens the possibility
of two tenants attempting to write in the same location concurrently. This
could cause undefined behavior in the innocent case or open up a vector
for malicious actors to inject malicious code into updates, resulting in
that code being injected into all tenants using the same path. Again, not
a problem if hosting companies pre-deploy filters for customer-specific
paths with sufficient entropy, but common default implementations could
leave sites vulnerable.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/49440#comment:6>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list