WordPress.org

Make WordPress Core

Opened 2 years ago

Last modified 2 years ago

#48316 reopened defect (bug)

Changeset 46482 breaks upload when using ".." in upload_path. — at Version 1

Reported by: xpoon Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 5.2.4
Component: Filesystem API Keywords:
Focuses: Cc:

Description (last modified by SergeyBiryukov)

Hi,

We just found out that changeset [46482] in the latest WordPress 5.2.4 broke a huge number of our customer's sites (tens or thousands).

We uses a separate subdomain as upload directory. This is done by changing the option "upload_path" to "../../media.example.com/www/" (and "upload_url_path" to "http://media.example.com").

This change means that new directories (for example "./2019/10/") can't be created, which breaks the entire upload functionality.

If this changeset fixed some critical vulnerability which can't be fixed another way or if we are the only ones utilizing this feature, so be it. Otherwise this change might have to be reverted and reimplemented some other way.

Change History (1)

#1 @SergeyBiryukov
2 years ago

  • Description modified (diff)
  • Milestone changed from Awaiting Review to 5.2.5
Note: See TracTickets for help on using tickets.