get_filesystem_method() uses uses wrong owner for validation
|Reported by:||cyberspice||Owned by:||dd32|
The function get_filesystem_method() creates a temporary file and then checks the ownership comparing it with the result of getmyuid(). getmyuid() does not return the owner of the web server process but of the file calling getmyid(). In this case wp-admin/includes/file.php. This means that in order to support automatic update the Wordpress files have to be own by the same process as the webserver regardless of permissions on the files. This is a potential security risk.
If posix_getiud() is used where available then the owner of the webserver process is compared to the ownership of the temp file. The Wordpress files can be owned by someone else and the update system works as long as the webserver has permissions to write.
I have written more about this (together with a fix) in my bog.
Change History (6)
- Milestone Unassigned deleted
- Resolution set to duplicate
- Status changed from new to closed