Opened 8 months ago
Closed 7 months ago
#21855 closed defect (bug) (invalid)
Several files are group writable, breaking suPHP–based setups
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | Filesystem | Version: | 3.4.2 |
| Severity: | normal | Keywords: | |
| Cc: |
Description
After upgrading to WordPress 3.4.2, I found the following files are group writable:
- wp-admin/about.php
- wp-admin/setup-config.php
- wp-admin/includes/class-wp-themes-list-table.php
- wp-admin/includes/class-wp-plugins-list-table.php
- wp-admin/includes/meta-boxes.php
- wp-admin/includes/update-core.php
- wp-admin/includes/class-wp-upgrader.php
- wp-admin/includes/class-wp-ms-themes-list-table.php
- wp-admin/plugins.php
- wp-admin/index.php
- wp-admin/js/link.dev.js
- wp-admin/js/link.js
- wp-admin/js/customize-controls.js
- wp-admin/js/post.dev.js
- wp-admin/js/post.js
- wp-admin/js/customize-controls.dev.js
An example ls -l:
-rw-rw-r-- 1 wordpress www-data 5473 Sep 7 08:15 /var/www/wordpress/wp-admin/index.php
This is in contrast to the majority of files:
-rw-r--r-- 1 wordpress www-data 395 Jun 14 18:14 /var/www/wordpress/index.php
This causes suPHP errors such as the following:
SoftException in Application.cpp:249: File "/var/www/wordpress/wp-admin/index.php" is writeable by group Premature end of script headers: index.php
A temporary workaround is to chmod g-w these files on my end, but the permissions get overwritten every time an SVN update occurs.
Change History (4)
comment:1
SergeyBiryukov — 8 months ago
- Component changed from Administration to Filesystem
comment:3
JeremyVisser — 7 months ago
- Keywords reporter-feedback removed
Sorry, I didn't realise you were awaiting my feedback — I thought the answer was rather obvious given what I have written above.
To answer your question directly: I am using SVN directly, not the built-in upgrader.
Not that it has much relevance to the validity of the bug. Wrong permissions are wrong.
- Milestone Awaiting Review deleted
- Resolution set to invalid
- Status changed from new to closed
I thought the answer was rather obvious given what I have written above.
Which is why I asked.
SVN doesn't have any special permissions set on any files, Any file permission changes are happening on your local end.
Dions-MacBook-Air:wordpress-commit dionhulse$ ls -l index.php wp-admin/index.php -rw-r--r-- 1 dionhulse _www 395B 13 Oct 23:44 index.php -rw-r--r-- 1 dionhulse _www 6.2K 30 Oct 12:33 wp-admin/index.php Dions-MacBook-Air:wordpress-commit dionhulse$ svn proplist index.php wp-admin/index.php Properties on 'index.php': svn:eol-style svn:keywords Properties on 'wp-admin/index.php': svn:eol-style svn:keywords
Closing as invalid pending any information which points otherwise.
WordPress built-in updates use 0755/0644 for dir's/files.
Are you using the builtin upgrade functions, or SVN directly? If using the builtin upgrade functions, does it use FTP or direct file IO operations? (FTP: It prompts for ftp login details, direct io doesn't)