Opened 3 years ago
Last modified 2 years ago
#53204 new defect (bug)
This means any errors on the site will be written to a file which is potentially available to normal users
Reported by: | kal123 | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | 5.2 |
Component: | Site Health | Keywords: | reporter-feedback |
Focuses: | Cc: |
Description
"The value, WP_DEBUG_LOG, has been added to this website’s configuration file. This means any errors on the site will be written to a file which is potentially available to normal users."
You are writing a plugin for users who do not know what to do here.
We need clarity of the security issue in an clear concise paragraph.
Several suggestions on how to fix.
I am a Linux programmer with over 20 years of experience, and I found this vague recommendation to be completely useless.
"potentially" It either is or is not.
"available" How? How do I make it not available?
What is the point of writing a health plugin for normal users and refusing to educate them on what do about poor health?
Change History (4)
#2
@
2 years ago
- Keywords reporter-feedback added
Hiya @kal123!
What information do you think would help educate users here, currently the message also includes an action link to the WordPress article on debugging, and what the values do.
The reasoning for the term potentially
being used here is due to there not being a reliable way to determine if the log location is publicly accessible or not.
There are a few discussions about this (#47985, #46689, #46692), and in r47235 the severity was lowered to recommended
if the value of WP_DEBUG_LOG
has been configured to an absolute path controlled by the site administrator, and not just the default location used by WordPress.
#3
@
2 years ago
Check that the file is only writable/readable by the same user:group as the regular WP directories.
Check that no access exists for the world permissions
Check that the file is NOT executable by any user.
You want the same permissions as that are required to be on a ~/.ssh/authorized_keys file
ls -l ~/.ssh/
total 12
-rw------- 1 wpuser wpgroup 780 Oct 9 2021 authorized_keys
#4
@
2 years ago
Bottom line, don't add security spam that no user action can be taken to fix the issue.
First think long and hard what specific user action can be taken and what can be checked to make sure it has been taken. If the answer is "I don't know", then remove the security spam, or don't add it in the first place. Keep it out of wordpress until you do know exactly how to check a fix. Focus on finding out, instead of rushing to create security spam.
Welcome back to trac!
I've moved this over to the Site Health component so the team members get an eye on it for review.
--
For others' reference, the linked documentation page is https://wordpress.org/support/article/debugging-in-wordpress/