Make WordPress Core

Opened 14 years ago

Closed 14 years ago

#12866 closed defect (bug) (fixed)

tmpfile() may use non-writable directory causing upgrades to fail

Reported by: dd32's profile dd32 Owned by: dd32's profile dd32
Milestone: 3.0 Priority: normal
Severity: normal Version:
Component: Upgrade/Install Keywords: has-patch
Focuses: Cc:

Description

According to ocean90's investigation of a core upgrade issue in #8668, and verified by php.net, tmpfile() may use a temporary directory which is not writable.

The temporary directory may be non-writable due to ACL's, or due to open_basedir restrictions - Both bad server configurations.

Example error:

Warning: tmpfile() [function.tmpfile]: open_basedir restriction in effect.
File(/tmp) is not within the allowed path(s): (
/var/www/web39/html/:
/var/www/web39/phptmp/:/var/www/web39/files/:
/var/www/web39/atd/
)in
/var/www/web39/html/blog/wp-admin/includes/class-wp-filesystem-ftpext.php
on line 116

commit coming up replaced tmpfile() with a wp_tempname()+fopen() call.

Commit also adds static caching to get_temp_dir() as it may be called rather often with this cod branch. In addition to that, to protect against more bad server environments, the temporary directory is checked to be writable in all given branches.

Attachments (1)

12866.patch (763 bytes) - added by ocean90 14 years ago.

Download all attachments as: .zip

Change History (5)

#1 @dd32
14 years ago

This appears to be causing some situations of the following errors:

"Unable to locate WordPress Content directory (wp-content)." (Plugin install)

"Unable to locate WordPress Root directory." (Core update)

I thought it would be better to move this to its own ticket rather than the old potentially out of date ticket.

#2 @dd32
14 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [14016]) Replace use of tmpfile() with a safe get_temp_dir(). tmpfile() may use a temporary directly which is not writable. Add static caching to get_temp_dir() & better protect against bad server configs. Fixes #12866

#3 @ocean90
14 years ago

  • Keywords has-patch added
  • Resolution fixed deleted
  • Status changed from closed to reopened

We should add @ in front of is_writable(). If $tmp is e.g. /tmp I get a open_basedir warning.

Warning: is_writable() [function.is-writable]: open_basedir restriction in effect. File(/tmp) is not within the allowed path(s):

@ocean90
14 years ago

#4 @dd32
14 years ago

  • Resolution set to fixed
  • Status changed from reopened to closed

(In [14427]) Silence PHP Warnings on is_writable calls. Can trigger open_basedir warnings on certain hosting environments. Props ocean90. Fixes #12866

Note: See TracTickets for help on using tickets.