Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
wordpress security hack for allowing theme/plugin/images uploads but not core upgrade (with different file owner permissions check)
commit 670110b (HEAD, virageadroite)
Author: Michaël Marinetti <github@marinetti.fr>
Date: 12 minutes ago
Add: security wp-content
diff --git a/wp-admin/includes/file.php b/wp-admin/includes/file.php
index 078a369..d11c9f3 100644
--- a/wp-admin/includes/file.php
+++ b/wp-admin/includes/file.php
@@ -976,7 +976,8 @@ function get_filesystem_method( $args = array(), $context = false, $allow_relaxe
// Attempt to determine the file owner of the WordPress files, and that of newly created files
$wp_file_owner = $temp_file_owner = false;
if ( function_exists('fileowner') ) {
- $wp_file_owner = @fileowner( __FILE__ );
+ //$wp_file_owner = @fileowner( __FILE__ );
+ $wp_file_owner = @fileowner( $context ); // CHANGED FOR ALLOWING ONLY wp-content writings
$temp_file_owner = @fileowner( $temp_file_name );
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.