Make WordPress Core

Changes between Initial Version and Version 1 of Ticket #36177, comment 7


Ignore:
Timestamp:
04/28/2016 03:18:06 PM (8 years ago)
Author:
bendoh
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #36177, comment 7

    initial v1  
    1111
    1212
    13 This works for me, but it may break existing plugins that would (stupidly) rely on executing uploaded PHP file.
     13This works for me, but it may break existing plugins that would (stupidly) rely on executing uploaded PHP files.
    1414
    1515But how does this particular .htaccess file get locked down? Presumably wp-content/uploads is writable by the webserver, so it doesn't completely prevent vulnerable code from manipulating or deleting this file entirely. What springs to mind is using a sticky bit on wp-content/uploads so that as long as .htaccess isn't owned by the webserver, that file can't be manipulated from vulnerable PHP code.