WordPress.org

Make WordPress Core

Opened 3 years ago

Last modified 3 years ago

#21251 closed defect (bug)

Media uploads ignore FS_CHMOD_FILE — at Initial Version

Reported by: mikewolf53 Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.4.1
Component: Upload Keywords:
Focuses: Cc:

Description

To Reproduce:

  1. Have Apache configured such that secure permissions are as follows:
  • 0710 directories
  • 0600 PHP files
  • 0640 All other files (anything that must be read by Apache rather than PHP)
  1. Set permissions on all files and directories as described above.
  1. Set the following in your wp-config.php
    define('FS_CHMOD_DIR', (0710 & ~ umask()));
    define('FS_CHMOD_FILE', (0640 & ~ umask()));
    
  1. Upload a file using your media library.
  1. Notice that the uploaded file has permissions of 0600 instead of 640.

Expected Result

Files uploaded should obey the FS_CHMOD_FILE directive, and the uploaded file should have permissions of 0640.

Actual Result

Wikipedia sets permissions of the file by taking its parent directory's permissions and stripping the executable bits, leaving the file unreadable to Apache. The result is 0600.

Relevant Info

These files (and likely more) ignore FS_CHMOD_FILE when uploading files to the server:

/wp-includes/functions.php

        // Set correct file permissions
        $stat = @ stat( dirname( $new_file ) );
        $perms = $stat['mode'] & 0007777;
        $perms = $perms & 0000666;
        @ chmod( $new_file, $perms );

/wp-includes/media.php

        // Set correct file permissions
        $stat = stat( dirname( $destfilename ));
        $perms = $stat['mode'] & 0000666; //same permissions as parent folder, strip off the executable bits
        @ chmod( $destfilename, $perms );

/wp-admin/includes/file.php

        // Set correct file permissions
        $stat = stat( dirname( $new_file ));
        $perms = $stat['mode'] & 0000666;
        @ chmod( $new_file, $perms );

This is problematic in the case where suEXEC+fcgid or suPHP are being used and Apache has group ownership on files/directories. In this case, the secure permissions would be:

  • 0710 directories
  • 0600 PHP files
  • 0640 All other files (anything that must be read by Apache rather than PHP)

The code in each of the files above causes files to be uploaded with permissions of 600, which is unreadable by Apache.

Change History (0)

Note: See TracTickets for help on using tickets.