WordPress.org

Make WordPress Core

Opened 3 months ago

Last modified 3 months ago

#51170 new defect (bug)

FTP automatic updates are not RFC 959 compliant for NLST command

Reported by: giox069 Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 3.7
Component: Filesystem API Keywords:
Focuses: Cc:

Description

Wordpress uses FTP NLST command to check if a file exists:
https://developer.wordpress.org/reference/classes/wp_filesystem_ftpsockets/exists/

But according RFC 959, NLST is not intended to be applied to a file.

Many ftp servers are permissive, and allowed to execute NLST on files. But a recent update to pure-ftpd removed support for this wordpress non-rfc compliant behaviour.
https://github.com/jedisct1/pure-ftpd/commit/dc71ecfc39a6258d9e49b9918b600a9d46365358

Wordpress should adhere to RFC 959, and check FTP file existence in a different way than NLST command, for example using RFC 3659 commands, and then falling back to NLST if RFC 3659 commands are not available.

Wordpress should also warn the user and stop processing when NLST fails.

See my post here:
https://wordpress.org/support/topic/problems-installing-plugins-and-upgrading-with-newer-pure-ftpd/

Change History (2)

#1 @SergeyBiryukov
3 months ago

  • Component changed from General to Filesystem API

#2 @desrosj
3 months ago

  • Version changed from trunk to 3.7

Looks like nlist() was added in [25274] as part of #14049.

There were attempts to change exists() up in in #28013 as part of WordPress 4.4, but it was reverted in 4.4.1 because of issues on various servers (see #34976 and #35026).

Note: See TracTickets for help on using tickets.