Opened 7 years ago
Last modified 6 years ago
#42986 reopened enhancement
Insert default filters to wp_delete_file to don't delete core files.
Reported by: |
|
Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | 4.9.1 |
Component: | Media | Keywords: | |
Focuses: | Cc: |
Description
I am see many plugins that don't use wordpress method to delete files ( are using unink ) and exist wp_delete_file. Really you can insert filter, but I think that if didn't have filter by default you can use method to remove anything, including core files.
If all agree and approve this ticket I can implement.
Attachments (3)
Change History (6)
@
7 years ago
Sorry by two last errors of file. This really diff that I believe to help security on remove files
#1
@
7 years ago
- Milestone Awaiting Review deleted
- Resolution set to wontfix
- Status changed from new to closed
Hey @lenon and welcome to Trac.
Thanks for submitting this, however, this doesn't seem like something which is needed in WordPress.
My issues with this is:
- Plugins could bypass this by using
unlink()
directly - We can't enforce plugins to use
wp_delete_file()
- We can't prevent plugins from using
unlink()
. - Plugins should not allow deletion of arbitrary files, if a plugin allows for
wp_delete_file()
to be passedABSPATH
it's not sanitizing it's input correctly.
I'm going to close this as wontfix
, however, you can still reply and we can re-open it if you can explain the benefits of adding this.
#2
@
7 years ago
- Resolution wontfix deleted
- Status changed from closed to reopened
The recently vulnerability published by ripstech ( https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/ ) could have been avoided if had accept implementation and use wp_delete_file. I belive yet that wordpress need of option more security to delete files.
diff with new idea to help security on remove files