Make WordPress Core

Opened 7 years ago

Closed 5 years ago

#40572 closed defect (bug) (fixed)

.htaccess has incorrect permissions after installation

Reported by: i3anaan's profile i3anaan Owned by: rcutmore's profile rcutmore
Milestone: 5.4 Priority: normal
Severity: normal Version: 4.7.4
Component: Upgrade/Install Keywords: good-first-bug has-patch needs-testing
Focuses: administration Cc:

Description

Having used the WordPress installation instructions and the .htaccess was installed on the server with 0600 permissions, instead of 0644 permissions (like all the other files). This caused our installation to function incorrectly, denying access to at least the login page.

Steps to reproduce:

  • Install wordpress
  • Fill in online 'setup' (the one where you choose admin credentials)
  • Be redirected to the wp-login.php
  • Get a 403 error

Attachments (1)

40572.patch (536 bytes) - added by rcutmore 7 years ago.
Modify .htaccess to a minimum set of permissions during creation

Download all attachments as: .zip

Change History (10)

#1 @dd32
7 years ago

  • Focuses administration added
  • Keywords needs-patch good-first-bug added

Welcome to the WordPress Trac @i3anaan

WordPress doesn't specify what permissions the .htaccess file should be created as, defaulting to whatever the server defaults to.
A Server with a umask of 0066 seems unlikely, but appears to be the case here.

It looks to me like we can probably always set the file permissions to a minimum of 0644 using something like the following in the creation branch of insert_with_markers():

if ( $perms = fileperms( $filename ) ) {
	chmod( $filename, $perms | 0644 );
}

In order to test implementation details of this, it might be helpful to whomever patches this to put umask( 0066 ) into your wp-config.phpfile to simulate the reporters environment and test your patch's effectiveness.

#2 @i3anaan
7 years ago

Hey @dd32, thank you for your response!

I just want to verify that for now there is no further action required from my side?

#3 @dd32
7 years ago

@i3anaan Correct! We don't need anything from you at present, when there's a patch uploaded or a commit to WordPress testing a fresh WordPress install in a subdirectory install to verify it fixes it would be appreciated - but not needed.

Thanks for taking the time to report the issue!

@rcutmore
7 years ago

Modify .htaccess to a minimum set of permissions during creation

#4 @rcutmore
7 years ago

Hi @dd32

I added 40572.patch to ensure a minimum set of permissions when creating the .htaccess file. I manually tested the patch and it resolves the issue for me when using a server umask of 0066. Should there be a unit test created for this?

#5 @rcutmore
7 years ago

  • Keywords has-patch needs-testing added; needs-patch removed

#6 @DrewAPicture
7 years ago

  • Owner set to rcutmore
  • Status changed from new to assigned

Assigning ownership to mark the good-first-bug as "claimed".

This ticket was mentioned in Slack in #core by sergey. View the logs.


5 years ago

#8 @SergeyBiryukov
5 years ago

  • Milestone changed from Awaiting Review to 5.4

#9 @SergeyBiryukov
5 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 47005:

Upgrade/Install: When creating the .htaccess file in insert_with_markers(), make sure it has 0644 as a minimum set of permissions.

Props rcutmore, dd32, i3anaan.
Fixes #40572.

Note: See TracTickets for help on using tickets.