WordPress.org

Plugin Directory

Opened 22 months ago

Last modified 22 months ago

#2492 new defect

Incorrect file permissions in wp-security-scan plugin

Reported by: kijote Owned by:
Priority: highest Severity: critical
Plugin: not-listed Keywords: file permissions
Cc:

Description

There's a bug applying file permissions in WsdSecurity.php file, when it's setting the 664 permission to files, uses quotes around the 0644 number and the number is implicitely converted in an integer (and it's not trated as octal) by PHP as you can see following:

$ stat -c "%a %n" *
664 test1.txt
664 test2.txt

$ php -a
php > chmod('test1.txt', 0644);    // without single quotes
php > chmod('test2.txt', '0644');  // with single quotes

$ stat -c "%a %n" *
644 test1.txt
1204 test2.txt

So, the files in the server can't be chmod'ed by an user without admin privileges, because of this I setted the priority of ticket to highest and the severity to critical.

Change History (1)

comment:1 @kijote22 months ago

  • Summary changed from Incorrect file permissions to Incorrect file permissions in wp-security-scan plugin
Note: See TracTickets for help on using tickets.