WordPress.org

Make WordPress Core

Opened 7 years ago

Closed 5 years ago

#6509 closed defect (bug) (worksforme)

swfupload problems with mod_security

Reported by: SteveAgl Owned by:
Milestone: 2.9 Priority: normal
Severity: normal Version: 2.5
Component: Upload Keywords: needs-test reporter-feedback
Focuses: Cc:

Description

I got 2 problems with an italian hoster that has hundereds if not thousands users with a WP blog

1) Having mod_security on swfupload fails, the problem get solved using the method suggested at:
http://wordpress.org/support/topic/162373?replies=12 inserting some lines in the .htaccess, I don't know if this could be solved making the uploader to degrade in a non swf uploader.

2) The hoster has suEXEC and we already solved a similar with Ryan with old uploader yeas ago. The directory are created with folowing permission: drwxr_x_ that make the file inside not readable, restoring sitewide permission from hosting CP the dir become drwxr_s_ and file get read correctly. This is a very bad problem that need solution

Change History (9)

comment:1 follow-up: @lloydbudd7 years ago

1) relates to #6406 ?

comment:2 in reply to: ↑ 1 @SteveAgl7 years ago

Replying to lloydbudd:

1) relates to #6406 ?

Look like it is... but there the solution is to have a plugin tha disable the flashuploader iI think hat if the problem is with mod_secutiry on the uploader can check it and degrade by itself if the case. Dont?

comment:3 @SteveAgl7 years ago

I checked the old ticket tah solved the same problem state here as #2 in late 2006 it was #2190 and that time changest [3501] solved the problem, thias was keep in new files function.php that subsittute the old admin-function.php where that code was and is used:

Set correct file permissions
$stat = @ stat( dirname( $new_file ) );
$perms = $statmode? & 0007777;
$perms = $perms & 0000666;
@ chmod( $new_file, $perms );

In media.php I've found:

Set correct file permissions
$stat = stat( dirname( $destfilename ));
$perms = $statmode? & 0000666;
same permissions as parent folder, strip off the executable bits
@ chmod( $destfilename, $perms );

That looks like it ognore se S flag or I'm wrong? maybe having same code as in function.php will solve the problem? No it dont'... i tried... but.. i feel the problem is around there.

comment:4 @ryan7 years ago

  • Milestone changed from 2.5.2 to 2.9

Milestone 2.5.2 deleted

comment:5 @Denis-de-Bernardy6 years ago

  • Keywords needs-patch needs-testing added
  • Summary changed from swfupload problems to swfupload problems with mod_security

comment:6 @Denis-de-Bernardy6 years ago

  • Component changed from TinyMCE to Upload

comment:8 @Denis-de-Bernardy6 years ago

  • Keywords reporter-feedback added; needs-testing removed

comment:9 @hakre5 years ago

  • Keywords needs-test added; needs-patch removed
  • Priority changed from high to normal
  • Resolution set to worksforme
  • Status changed from new to closed

maybe umask is missing here as well (see #10170)?

aditionally there is not much way to check for mod_security or at least for the specific configuration that perevents on certain hosts.

to tell you the truth: worksforme. I have wordpress blogs on hosts with mod_security enabled and no problems. This is a server configuration thing so please check your mod_security settings or disable it via .htaccess:

<IfModule mod_security.c>
<Files async-upload.php>
SecFilterEngine Off
SecFilterScanPOST Off
</Files>
</IfModule>

Logentry of the check enabled in mod_security that prevented file uploads on one host (as only one sole person has reported the real details in her case):
http://wordpress.org/support/topic/162373?replies=12#post-716574

As reported, this is works for me, I have zero/nada/no problem with mod_security and swfupload. Can please someone provide a detailed testcase to reproduce this so that it can be actually confirmed?

Note: See TracTickets for help on using tickets.