Opened 14 years ago
Closed 14 years ago
#15021 closed defect (bug) (duplicate)
get_filesystem_method has a bogus direct method detection
Reported by: | landure | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 3.0.1 |
Component: | Filesystem API | Keywords: | FS_METHOD, file, get_filesystem_method |
Focuses: | Cc: |
Description
in wp-admin/includes/file.php, the function get_filesystem_method is used to detect the available fs_methods.
When testing for direct method, the following test is successfull only if the php script calling the method is owned by the web server user.
if ( getmyuid() == @fileowner($temp_file_name) ) $method='direct';
For exemple, for direct fs_method auto detection to work when installing a plugin, the wp-admin/update.php script must be owned by www-data:www-data (on a debian GNU/Linux OS).
A possible correction to this is :
if ( function_exists('posix_getuid') ) { if ( posix_getuid() == @fileowner($temp_file_name) ) $method = 'direct'; } elseif ( getmyuid() == @fileowner($temp_file_name) ) $method = 'direct';
This correction use posix_getuid instead of getmyuid when possible (unix systems for examble). If posix_getuid is not available, it fallback to the original getmyuid test.
With this code, the direct FS_METHOD is correctly autodetected on a Debian GNU/Linux 5.0 Lenny system with all wordpress files ownership set to root user instead of www-data (except for wp-content directory).
#10205