WordPress.org

Make WordPress Core

Opened 3 months ago

Last modified 3 months ago

#48369 new defect (bug)

Uploaded media files created with incorrect permissions if directory set to 751.

Reported by: jonathangilpin Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 5.2.3
Component: Upload Keywords:
Focuses: Cc:
PR Number:

Description

I discovered a very strange issue.. Files uploaded in the Media Library are having permissions set of 640 instead of 644.

I’ve tried setting a umask in the wp-config.php file, eg
define(‘FS_CHMOD_FILE’,0644);

This seems to have no effect.
Strangely, there are a number of wordpress sites on this box. Only 2 of these have this issue and the others all work fine and set the permissions to 644.

I have uploaded a simple PHP upload script to see if this is a PHP issue, but using the simple upload script the permissions are set to 644.. So I’m sure this is a wordpress issue.

I’ve then re-installed wordpress in the Admin interface, this didnt make any difference, I’m running 5.2.4 – the latest, I don’t think we had this issue before the last update but I cannot be 100% sure of that..

After digging in File.php I added some debug code:

Set correct file permissions.
$stat = stat( dirname( $new_file ) );
error_log(“JSG: STAT MODE $stat[mode]”);
new line
$perms = $stat[‘mode’] & 0000666;
error_log(“JSG: $perms”); new line

[18-Oct-2019 15:18:13 UTC] JSG: STAT MODE 16873
[18-Oct-2019 15:18:13 UTC] JSG: 416 <– this is bad right?

On another site which works fine with the same debug code I have:

DRT JSG: STAT MODE 16877
DRT JSG: 420

This made me look at the code and realise the issue.. If the DIR is set to 751, then the permissions on uploaded files are changed to 640.. but if the dir is 755 the permissions are set to 644..

Having permission of 751 is acceptable from a security point of view because the server does only needs to excuse permission on the dir to access the files within it.

Change History (1)

#1 @SergeyBiryukov
3 months ago

  • Component changed from General to Upload
Note: See TracTickets for help on using tickets.