Make WordPress Core

Opened 8 weeks ago

Last modified 7 weeks ago

#62718 new defect (bug)

Automatic updater of WordPress always fails if FS_METHOD is ftpext since 6.6 with PHP 8.0+

Reported by: hideishi's profile hideishi Owned by:
Milestone: 6.8 Priority: normal
Severity: major Version: 6.6
Component: Upgrade/Install Keywords:
Focuses: Cc:

Description

Since WordPress 6.6, enabling maintenance mode is introduced in automatic update.
The source code is wp-admin/includes/class-wp-automatic-updater.php in public function update().

<?php
if ( 'translation' !== $type ) {
        $upgrader->maintenance_mode( true );
}

The main problem is that in the called maintenance_mode(), WP_Filesystem() is called without any arguments.
When FS_METHOD is set to 'ftpext' (or non 'direct'), credentials are necessary to pass to WP_Filesystem() constructor.
Because no argument is passed, returned WP_Filesystem() has an empty $link.
Since PHP 8.0, ftp_nlist() does not accept null as first argument that results in PHP Fatal Error.

NOTICE: PHP message: PHP Fatal error:  Uncaught TypeError: ftp_nlist(): Argument #1 ($ftp) must be of type FTP\Connection, null given in /home/kusanagi/kusanagi9/DocumentRoot/wp-admin/includes/class-wp-filesystem-ftpext.php:438
Stack trace:
#0 /home/kusanagi/kusanagi9/DocumentRoot/wp-admin/includes/class-wp-filesystem-ftpext.php(438): ftp_nlist()
#1 /home/kusanagi/kusanagi9/DocumentRoot/wp-admin/includes/class-wp-filesystem-base.php(231): WP_Filesystem_FTPext->exists()
#2 /home/kusanagi/kusanagi9/DocumentRoot/wp-admin/includes/class-wp-filesystem-base.php(58): WP_Filesystem_Base->find_folder()
#3 /home/kusanagi/kusanagi9/DocumentRoot/wp-admin/includes/class-wp-upgrader.php(997): WP_Filesystem_Base->abspath()
#4 /home/kusanagi/kusanagi9/DocumentRoot/wp-admin/includes/class-wp-automatic-updater.php(474): WP_Upgrader->maintenance_mode()
#5 /home/kusanagi/kusanagi9/DocumentRoot/wp-admin/includes/class-wp-automatic-updater.php(676): WP_Automatic_Updater->update()
#6 /home/kusanagi/kusanagi9/DocumentRoot/wp-inc...

This causes the automatic updater to stop here, hence Automatic updater will never update WordPress core if the core is updated once to 6.6 or later (also updating plugins and themes fails!).
Prior to 6.6, maintenance_mode() was not enabled. Therefore, automati updater did not fail at this point end was eble to proceed to the later process where WP_Filesystem() was generated with proper credentials.

Change History (3)

#1 @hideishi
8 weeks ago

I would like to highlight that WP_Filesystem() SHOULD NEVER BE CALLED WITHOUT CREDENTIALS unless you are 100% sure that FS_METHOD is 'direct' because since 8.0 PHP restriced type checks that throws fatal error if invalid type of argument is passed in ftpext and ftpsocket functions.
I haven't tried with ssh2 but I guess it is the same for it as well.

#2 @dd32
8 weeks ago

  • Component changed from General to Upgrade/Install
  • Milestone changed from Awaiting Review to 6.8

Hi @hideishi and welcome to Trac, thanks for reporting this.

Looking into it, it appears to have been introduced in [58128] / #58281.

You're correct, that WP_Filesystem() should not be called without the $args parameter, and that code similar to this should be employed:
https://github.com/WordPress/wordpress-develop/blob/b8ecfbf9542198b1d88230221faeca6b71fa0ac7/src/wp-includes/update.php#L1114-L1121

ob_start();
$credentials = request_filesystem_credentials( '' );
ob_end_clean();

if ( ! WP_Filesystem( $credentials ) ) {
	wp_trigger_error( __FUNCTION__, __( 'Could not access filesystem.' ) );
	return;
}

Moving to 6.8 for resolution, but backporting should be considered. This isn't critical, as it only affects a subset of sites (Those using FTP/SSH with hard-coded credentials).

Last edited 8 weeks ago by dd32 (previous) (diff)

#3 @hideishi
8 weeks ago

Well, meny sites rely on automatic updates for keeping WordPress core, plugins and themes fresh and secure.
Sites configured with such credentials are jeopadized without backporting. In this sense, it is a security issue.

Because this affects not just for WordPress core, but automatic updates for plugins and themes in which tons of security issues may appear, I believe this causes a major threat on WordPress sites running 6.6 and 6.7 currently.
This will leave thet sites that uses FTP/SSH credentials vulnerable.

I would very much appreciate if you could consider to backport to 6.6 and 6.7 in which this issue occurs.

Last edited 7 weeks ago by hideishi (previous) (diff)
Note: See TracTickets for help on using tickets.