Make WordPress Core

Opened 5 years ago

Closed 5 years ago

#15021 closed defect (bug) (duplicate)

get_filesystem_method has a bogus direct method detection

Reported by: landure Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.0.1
Component: Filesystem API Keywords: FS_METHOD, file, get_filesystem_method
Focuses: Cc:


in wp-admin/includes/file.php, the function get_filesystem_method is used to detect the available fs_methods.

When testing for direct method, the following test is successfull only if the php script calling the method is owned by the web server user.

if ( getmyuid() == @fileowner($temp_file_name) )

For exemple, for direct fs_method auto detection to work when installing a plugin, the wp-admin/update.php script must be owned by www-data:www-data (on a debian GNU/Linux OS).

A possible correction to this is :

      if ( function_exists('posix_getuid') ) {
        if ( posix_getuid() == @fileowner($temp_file_name) )
          $method = 'direct';
      elseif ( getmyuid() == @fileowner($temp_file_name) )
        $method = 'direct';

This correction use posix_getuid instead of getmyuid when possible (unix systems for examble). If posix_getuid is not available, it fallback to the original getmyuid test.

With this code, the direct FS_METHOD is correctly autodetected on a Debian GNU/Linux 5.0 Lenny system with all wordpress files ownership set to root user instead of www-data (except for wp-content directory).

Change History (1)

#1 @nacin
5 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.