Make WordPress Core

Opened 8 weeks ago

Last modified 8 weeks ago

#62693 new defect (bug)

check if chmod is available to prevent Fatal Errors

Reported by: maltfield's profile maltfield Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Security Keywords:
Focuses: Cc:

Description

There is a bug in wordpress that prevents users from uploading media if their PHP server was hardened following common best-practices

chmod( $new_file, $perms );

This line causes a PHP Fatal error on hardened systems with the chmod function disabled.

PHP Fatal error:  Uncaught Error: Call to undefined function chmod() in /var/www/html/store.opensourceecology.org/htdocs/wp-admin/includes/file.php:1043\nStack trace:\n#0 /var/www/html/store.opensourceecology.org/htdocs/wp-admin/includes/file.php(1105): _wp_handle_upload()\n#1 /var/www/html/store.opensourceecology.org/htdocs/wp-admin/includes/media.php(306): wp_handle_upload()\n#2 /var/www/html/store.opensourceecology.org/htdocs/wp-admin/includes/ajax-actions.php(2632): media_handle_upload()\n#3 /var/www/html/store.opensourceecology.org/htdocs/wp-admin/async-upload.php(33): wp_ajax_upload_attachment()\n#4 {main}\n  thrown in /var/www/html/store.opensourceecology.org/htdocs/wp-admin/includes/file.php on line 1043', referer: https://store.opensourceecology.org/wp-admin/upload.php  

Why this matters

For security reasons, orgs frequently configure php.ini to be hardened by adding many dangerous functions to the disable_functions variable in the php.ini file. For example, it's common to disable the exec function

disable_functions = exec

And, for security reasons, it's also common to disable functions like chmod.

Solution

To fix the PHP Fatal error, wordpress should always check to see if the chmod function exists before attempting to call it

if( function_exists( 'chmod') ){
   chmod( $new_file, $perms );
}

Change History (2)

#1 @maltfield
8 weeks ago

As a workaround, upload capabilities can be restored by adding this to the top of your wp-config.php until this bug is fixed

if( ! function_exists('chmod') ){
        function chmod(){
                return;
        }
}
Note: See TracTickets for help on using tickets.