[wp-trac] [WordPress Trac] #48316: Changeset 46482 breaks upload when using ".." in upload_path.
WordPress Trac
noreply at wordpress.org
Thu Mar 16 04:38:55 UTC 2023
#48316: Changeset 46482 breaks upload when using ".." in upload_path.
----------------------------+----------------------
Reporter: xpoon | Owner: (none)
Type: defect (bug) | Status: closed
Priority: normal | Milestone:
Component: Filesystem API | Version: 5.2.4
Severity: normal | Resolution: wontfix
Keywords: dev-feedback | Focuses:
----------------------------+----------------------
Changes (by peterwilsoncc):
* status: reopened => closed
* resolution: => wontfix
* milestone: Awaiting Review =>
Comment:
I'm going to close this off as I don't think there is anything that
WordPress can safely do to account for advanced configurations in which
`UPLOADS` intentionally includes path traversal.
For sites were the uploads folder's real path is outside the content
directory, using a symlink remains an effective method for handling the
situation. I know the method is quite
[https://github.com/peterwilsoncc/doitlive.peterwilson.cc/blob/655d6c6a7301198d63628894ff05ab4dcfaa2672/uploads
effective from personal experience].
From a security perspective, choosing to allow path traversal is very
risky. To do so for a set up that can be solved with a symlink isn't worth
the risk.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/48316#comment:33>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list