Security fix preventing directory traversal broke my workflow

Viewing 5 replies - 1 through 5 (of 5 total)
  • Thread Starter Lox

    (@dreadlox)

    This works but I am wondering if I may just reproduce the fixed security issue doing this.

    /** Sets up WordPress vars and included files. */
require_once( ABSPATH . 'wp-settings.php' );
?
add_filter( 'upload_dir', function ( $upload_dir ) {
    $prev_basedir          = $upload_dir['basedir'];
    $upload_dir['basedir'] = realpath( $upload_dir['basedir'] );
    $upload_dir['path']    = str_replace( $prev_basedir, $upload_dir['basedir'], $upload_dir['path'] );
?
    return $upload_dir;
} );
    Thread Starter Lox

    (@dreadlox)

    Damn this code breaks wp-cli …

    PHP Fatal error: Uncaught Error: Call to undefined function add_filter() in phar:///usr/local/bin/wp/vendor/wp-cli/wp-cli/php/WP_CLI/Runner.php(1169) : eval()'d code:77

    Dion

    (@diondesigns)

    Try this instead:

    if (!defined('UPLOADS')) {
	define('UPLOADS', realpath('../files'));
}
    Thread Starter Lox

    (@dreadlox)

    That would make an absolute path but UPLOAD is used to construct URLS too so it won’t work, it has to be relative.

    Thread Starter Lox

    (@dreadlox)

    There is an opened ticket for it

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Security fix preventing directory traversal broke my workflow’ is closed to new replies.