Recursive Bug in ITSEC_Lib_Directory::create

Jeff-Lewis
(@jeff-lewis)

7 years, 6 months ago
When a user restores a WordPress DB or iThemes settings where the main iThemes Log directory is a completely different drive (D:\) that does not exist of the current machine, ITSEC_Lib_Directory::create lines 140-144 will go in an endless loop and eventually crash. Below is the code we have to apply to your plugin, file class-itsec-lib-directory.php starting line 139, after every update.
```
$parent = dirname( $dir );
while ( ! empty( $parent ) && ( ! self::is_dir( $parent ) ) ) {
  $previousParent = $parent;
  $parent = dirname( $parent );
  if($previousParent === $parent){
    $parent = null;
  }
}
```
- This topic was modified 7 years, 6 months ago by Jeff-Lewis.

Viewing 6 replies - 1 through 6 (of 6 total)

nlpro
(@nlpro)

7 years, 6 months ago

Are the 2 envs both Windows platform ?

Or would this also be an issue when restoring from Windows platform to a linux env ?
nlpro
(@nlpro)

7 years, 6 months ago
FYI

It turns out this very same bug is present in the WordPress Core wp_mkdir_p() function !
```
1616| // We need to find the permissions of the parent folder that exists and inherit that.
1617| $target_parent = dirname( $target );
1618| while ( '.' != $target_parent && ! is_dir( $target_parent ) ) {
1619|     $target_parent = dirname( $target_parent );
1620| }
```
Thread Starter Jeff-Lewis
(@jeff-lewis)

7 years, 6 months ago

We get it on Windows. Haven’t tried linux. I’m surprised about wp_mkdir_p(). Did you file a bug? Thanks for the replies.
nlpro
(@nlpro)

7 years, 6 months ago
Please ignore my previous post. The wp_mkdir_p() bug was recently fixed in the WordPress 4.9.5 release (#43417).

Filesystem API

#43417 – Avoid an infinite loop in wp_mkdir_p() when trying to determine the parent folder with open_basedir restriction in effect.
```
// We need to find the permissions of the parent folder that exists and inherit that.
$target_parent = dirname( $target );
while ( '.' != $target_parent && ! is_dir( $target_parent ) && dirname( $target_parent ) !== $target_parent ) {
      $target_parent = dirname( $target_parent );
}
```
Notice the extra (3rd) condition.

There is an important lesson to learn from my mistake.
This is what happened. I looked up the wp_mkdir_p() function in the Code Reference on developer.wordpress.org
So basically navigated to this link and then scrolled down to the Source # section. I then clicked on the Expand full source code link. It turns out the code displayed is for 4.9.0 (as can be seen by hovering with the mouse cursor over the View on Trac link) while I thought I was looking at (latest minor release) 4.9.8 code …
So all embedded code in the Code Reference on developer.wordpress.org links to the LATEST MAJOR WordPress release.

Anyway I think you can shorten your fix by implementing the same code from the fixed wp_mkdir_p() function 😉
Thread Starter Jeff-Lewis
(@jeff-lewis)

7 years, 6 months ago
Ah, good to know about the Code Reference. Will you apply the same fix to ITSec?
- This reply was modified 7 years, 6 months ago by Jeff-Lewis.
mmoore247
(@mmoore247)

7 years, 6 months ago

Hi,

I am Michael from iThemes support. The developer wanted me to let you know that this will be fixed in the next release of iThemes Security.

Thanks!
Michael

Viewing 6 replies - 1 through 6 (of 6 total)

The topic ‘Recursive Bug in ITSEC_Lib_Directory::create’ is closed to new replies.