Ticket #2802 (closed defect: wontfix)

Opened 2 years ago

Last modified 2 years ago

Ensure wp_handle_upload never leaves uploaded files world-writable

Reported by: Libertus Assigned to: anonymous
Priority: normal Milestone:
Component: Security Version: 2.1
Severity: normal Keywords: inline upload files world writable wp_handle_upload
Cc:

Description

If I have to make my images directory world-writable to enable inline uploading, that doesn't mean I want the image files themselves world-writable. This patch ensures they never are.

Attachments

wp_handle_upload-file-permissions-patch.diff (459 bytes) - added by Libertus on 06/08/06 10:46:01.
the patch
wp_handle_upload-file-permissions-patch-2.diff (0.8 kB) - added by Libertus on 06/08/06 11:39:00.
This patch also corrects a nearby bug - a missing directory name in the error message

Change History

06/08/06 10:46:01 changed by Libertus

  • attachment wp_handle_upload-file-permissions-patch.diff added.

the patch

06/08/06 11:39:00 changed by Libertus

  • attachment wp_handle_upload-file-permissions-patch-2.diff added.

This patch also corrects a nearby bug - a missing directory name in the error message

06/21/06 22:12:43 changed by doit-cu

Does this really solve the problem? If the directory is world writable, and you upload file1.ext, I can still delete/replace file1.ext. I can't edit them directly, but I don't really need to. You'd need to sticky-bit the uploads directory as well to solve that on a linux/unix system... why not just chgrp to the web server user and chmod g+w the uploads directory?

04/04/07 21:39:05 changed by Nazgul

  • status changed from new to closed.
  • resolution set to wontfix.

Closing as wontfix, based on last comment.