Opened 8 weeks ago
Last modified 8 weeks ago
#62693 new defect (bug)
check if chmod is available to prevent Fatal Errors
Reported by: |
|
Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | |
Component: | Security | Keywords: | |
Focuses: | Cc: |
Description
There is a bug in wordpress that prevents users from uploading media if their PHP server was hardened following common best-practices
chmod( $new_file, $perms );
This line causes a PHP Fatal error on hardened systems with the chmod function disabled.
PHP Fatal error: Uncaught Error: Call to undefined function chmod() in /var/www/html/store.opensourceecology.org/htdocs/wp-admin/includes/file.php:1043\nStack trace:\n#0 /var/www/html/store.opensourceecology.org/htdocs/wp-admin/includes/file.php(1105): _wp_handle_upload()\n#1 /var/www/html/store.opensourceecology.org/htdocs/wp-admin/includes/media.php(306): wp_handle_upload()\n#2 /var/www/html/store.opensourceecology.org/htdocs/wp-admin/includes/ajax-actions.php(2632): media_handle_upload()\n#3 /var/www/html/store.opensourceecology.org/htdocs/wp-admin/async-upload.php(33): wp_ajax_upload_attachment()\n#4 {main}\n thrown in /var/www/html/store.opensourceecology.org/htdocs/wp-admin/includes/file.php on line 1043', referer: https://store.opensourceecology.org/wp-admin/upload.php
Why this matters
For security reasons, orgs frequently configure php.ini
to be hardened by adding many dangerous functions to the disable_functions variable in the php.ini
file. For example, it's common to disable the exec
function
disable_functions = exec
And, for security reasons, it's also common to disable functions like chmod
.
Solution
To fix the PHP Fatal error, wordpress should always check to see if the chmod
function exists before attempting to call it
if( function_exists( 'chmod') ){ chmod( $new_file, $perms ); }
Change History (2)
Note: See
TracTickets for help on using
tickets.
As a workaround, upload capabilities can be restored by adding this to the top of your
wp-config.php
until this bug is fixed