[wp-trac] [WordPress Trac] #49440: Allow configuring the upgrade directory

WordPress Trac noreply at wordpress.org
Wed Sep 16 19:13:48 UTC 2020

#49440: Allow configuring the upgrade directory
 Reporter:  natesymer        |       Owner:  (none)
     Type:  feature request  |      Status:  new
 Priority:  normal           |   Milestone:  Awaiting Review
Component:  Upgrade/Install  |     Version:
 Severity:  normal           |  Resolution:
 Keywords:                   |     Focuses:  administration, performance

Comment (by wpe_bdurette):

 At WP Engine we lock down most of the filesystem outside of the webroot
 (though `/tmp` is available). This makes me worry a little bit about the
 customer experience of sites migrating onto our platform that have
 settings/code to override this directory to a path that's not usable on
 our system. For this not to cause breakage, we would have to override that
 setting with a value that works on our platform. This isn't a problem per
 se, but having some lead time what filter needs to be put in place ahead
 of a rollout so that we can pre-deploy such a filter in an mu-plugin would
 be appreciated and reduce customer pain.

 Also, the security implications of allowing writes to `/tmp` for this
 purpose are interesting from the perspective of shared hosting. If the
 subpaths under `/tmp` are fixed/guessable, then this opens the possibility
 of two tenants attempting to write in the same location concurrently. This
 could cause undefined behavior in the innocent case or open up a vector
 for malicious actors to inject malicious code into updates, resulting in
 that code being injected into all tenants using the same path. Again, not
 a problem if hosting companies pre-deploy filters for customer-specific
 paths with sufficient entropy, but common default implementations could
 leave sites vulnerable.

Ticket URL: <https://core.trac.wordpress.org/ticket/49440#comment:6>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list