Opened 5 years ago
Last modified 4 years ago
#48369 new defect (bug)
Uploaded media files created with incorrect permissions if directory set to 751.
Reported by: | jonathangilpin | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | 5.2.3 |
Component: | Upload | Keywords: | |
Focuses: | Cc: |
Description
I discovered a very strange issue.. Files uploaded in the Media Library are having permissions set of 640 instead of 644.
I’ve tried setting a umask in the wp-config.php file, eg
define(‘FS_CHMOD_FILE’,0644);
This seems to have no effect.
Strangely, there are a number of wordpress sites on this box. Only 2 of these have this issue and the others all work fine and set the permissions to 644.
I have uploaded a simple PHP upload script to see if this is a PHP issue, but using the simple upload script the permissions are set to 644.. So I’m sure this is a wordpress issue.
I’ve then re-installed wordpress in the Admin interface, this didnt make any difference, I’m running 5.2.4 – the latest, I don’t think we had this issue before the last update but I cannot be 100% sure of that..
After digging in File.php I added some debug code:
Set correct file permissions.
$stat = stat( dirname( $new_file ) );
error_log(“JSG: STAT MODE $stat[mode]”); new line
$perms = $stat[‘mode’] & 0000666;
error_log(“JSG: $perms”); new line
[18-Oct-2019 15:18:13 UTC] JSG: STAT MODE 16873
[18-Oct-2019 15:18:13 UTC] JSG: 416 <– this is bad right?
On another site which works fine with the same debug code I have:
DRT JSG: STAT MODE 16877
DRT JSG: 420
This made me look at the code and realise the issue.. If the DIR is set to 751, then the permissions on uploaded files are changed to 640.. but if the dir is 755 the permissions are set to 644..
Having permission of 751 is acceptable from a security point of view because the server does only needs to excuse permission on the dir to access the files within it.
Can confirm this issue is still present (April 2021, version 5.7.1). It entirely prevented me from viewing uploaded files. I worked around this by manually setting the correct permissions on a folder and disabling year/month folders.