Hardcoded wp-content/uploads directory since 4.8

  • Resolved pyramusnl

    (@pyramusnl)


    10 years, 10 months ago

    I think there is an issue with your new rule for preventing execution in Uploads folder. Your updated rule specifies the uploads directory to be inside “/wp-content/”. This will only work if you did not change the name of the content folder – which most plugin users would have done, naturally.

    A (somewhat) better rule in htaccess is below.

    # Disable PHP in Uploads - Security > Settings > System Tweaks > Uploads
RewriteRule ^(.*)/uploads/.*\.(?:php[1-6]?|pht|phtml?)$ - [NC,F]

    But I hope you guys can come up with a more strict solution where the variable for the content dir from wp-config.php is used as well.

    https://wordpress.org/plugins/better-wp-security/

Viewing 6 replies - 1 through 6 (of 6 total)
  • Gerroald

    (@gerroald)

    10 years, 10 months ago

    Hi Pyramusnl,

    Thanks for reporting this. I’ve filed a bug report. I’ve also added a link to this post so I can update you with progress.

    Thanks,

    Gerroald

    Aaron D. Campbell

    (@aaroncampbell)

    10 years, 10 months ago

    The directory used for the .htaccess rule is pulled from get_option( 'upload_path' ) so it should be right for your install *when it is written*. We will look into possibly monitoring and updating that rule if the content directory is changed.

    Thread Starter pyramusnl

    (@pyramusnl)

    10 years, 10 months ago

    Hey there, thanks so much for the quick reply.

    @aaron, i’m not sure i understand correctly: although ithemes security seems to know about the renaming, the htaccess rule was still setup incorrectly for my installation, like this:
    RewriteRule ^wp\-content/uploads/.*\.(?:php[1-6]?|pht|phtml?)$ - [NC,F]

    I just checked my wp-config and see i’ve correctly defined WP_CONTENT_DIR and WP_CONTENT_URL. The uploads folder is just residing in this content folder like usual. Everything on my site seems to be working fine, including uploads in the correct folder.

    Please let me know if you think if the plugin is indeed operating like designed or if it should have “pulled” the correct folder?

    Thanks!

    Aaron D. Campbell

    (@aaroncampbell)

    10 years, 10 months ago

    I’ll do some further testing. It looks like there might be some cases where the content directory is changed, the upload path option is set to wp-content/uploads, and WordPress replaces it with WP_CONTENT_URL . ‘/uploads’. We’ll look into it and try to get firm up the way we handle these rewrites.

    Thanks for the report!

    Gerroald

    (@gerroald)

    10 years, 9 months ago

    Hey Pyramusnl,

    This is now fixed in 4.9.0. Can you please confirm?

    Thanks,

    Gerroald

    Thread Starter pyramusnl

    (@pyramusnl)

    10 years, 9 months ago

    Yay, confirmed!

    Thanks for the update.

Viewing 6 replies - 1 through 6 (of 6 total)

The topic ‘Hardcoded wp-content/uploads directory since 4.8’ is closed to new replies.