Language pack download requires too broad file system permissions

[kpumuk]

Language packs are installed into wp-content/languages directory. The problem is, even if the directory exists, and WordPress is allowed to create files there, it is still required to:

• for WordPress to have permissions in the wp-content directory. This is because $upgrader->fs_connect() is called with an array of two directories – WP_CONTENT_DIR and WP_LANG_DIR, and fs_connect() only checks the permissions to the first one.
• for WordPress to have the exact file owner for the wp-content directory. Cause - wp_can_install_language_pack() calls fs_connect() wihout $allow_relaxed_file_ownership

I think languages, downloaded from a known source, should not require such a draconian measures. Instead, WordPress should successfully download and install languages if it can write to wp-content/languages directory (and not require ownership permissions for either wp-content or wp-content/languages.

[marsjaninzmarsa]

Need to remember that language packs are not just pomo files, it may also contain PHP files with permissions to run arbitrary code. Not sure how exactly it's related to above, but security measures should be same as with themes/plugins.

[SergeyBiryukov]

Replying to marsjaninzmarsa:

Need to remember that language packs are not just pomo files, it may also contain PHP files with permissions to run arbitrary code.

Strictly speaking, language packs downloaded from translate.wordpress.org do indeed contain only .po/.mo files.

Locale-specific PHP files like ​sr_RS.php are only present in packages downloaded from local sites like ​https://sr.wordpress.org/ and are not included in language packs.