[wp-trac] [WordPress Trac] #62693: check if chmod is available to prevent Fatal Errors

WordPress Trac noreply at wordpress.org
Sat Dec 14 20:04:36 UTC 2024 

#62693: check if chmod is available to prevent Fatal Errors
--------------------------+-----------------------------
 Reporter:  maltfield     |      Owner:  (none)
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Security      |    Version:
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 There is a bug in wordpress that prevents users from uploading media if
 their PHP server was hardened following common best-practices

 {{{
 chmod( $new_file, $perms );
 }}}


 This line causes a PHP Fatal error on hardened systems with the chmod
 function disabled.

 {{{
 PHP Fatal error:  Uncaught Error: Call to undefined function chmod() in
 /var/www/html/store.opensourceecology.org/htdocs/wp-
 admin/includes/file.php:1043\nStack trace:\n#0
 /var/www/html/store.opensourceecology.org/htdocs/wp-
 admin/includes/file.php(1105): _wp_handle_upload()\n#1
 /var/www/html/store.opensourceecology.org/htdocs/wp-
 admin/includes/media.php(306): wp_handle_upload()\n#2
 /var/www/html/store.opensourceecology.org/htdocs/wp-admin/includes/ajax-
 actions.php(2632): media_handle_upload()\n#3
 /var/www/html/store.opensourceecology.org/htdocs/wp-admin/async-
 upload.php(33): wp_ajax_upload_attachment()\n#4 {main}\n  thrown in
 /var/www/html/store.opensourceecology.org/htdocs/wp-
 admin/includes/file.php on line 1043', referer:
 https://store.opensourceecology.org/wp-admin/upload.php
 }}}

 == Why this matters

 For security reasons, orgs frequently configure `php.ini` to be hardened
 by adding many dangerous functions to the disable_functions variable in
 the `php.ini` file. For example, it's common to disable the `exec`
 function

 {{{
 disable_functions = exec
 }}}

 And, for security reasons, it's also common to disable functions like
 `chmod`.

 == Solution

 To fix the PHP Fatal error, wordpress should always check to see if the
 `chmod` function exists before attempting to call it


 {{{
 if( function_exists( 'chmod') ){
    chmod( $new_file, $perms );
 }
 }}}

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/62693>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list