WordPress.org

Make WordPress Core

Opened 2 years ago

Last modified 2 years ago

#48316 reopened defect (bug)

Changeset 46482 breaks upload when using ".." in upload_path. — at Initial Version

Reported by: xpoon Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 5.2.4
Component: Filesystem API Keywords:
Focuses: Cc:

Description

Hi,

We just found out that changeset 46482 (https://core.trac.wordpress.org/changeset/46482/) in the latest WordPress 5.2.4 broke a huge number of our customer's sites (tens or thousands).

We uses a separate subdomain as upload directory. This is done by changing the option "upload_path" to "../../media.example.com/www/" (and "upload_url_path" to "http://media.example.com").

This change means that new directories (for example "./2019/10/") can't be created, which breaks the entire upload functionality.

If this changeset fixed some critical vulnerability which can't be fixed another way or if we are the only ones utilizing this feature, so be it. Otherwise this change might have to be reverted and reimplemented some other way.

Change History (0)

Note: See TracTickets for help on using tickets.