which you pass as $mode parameter to filesystem class, to set the permissions accordingly.
This is wrong & a security risk bc:
1) files should be created with permission 644 for files and 755 for directories (or whatever FS_CHMOD_FILE and FS_CHMOD_DIR are set to) which is the default anyway => if you do not pass the $mode parameter, WP will do this by default
2) additionally calling umask is a security risk in most webservers that run WP with php-fpm, see "Note" on hidden link
by just removing the mode parameter, you can fix both issues
Did you read what I wrote? I already did send what you ask for in the post above. See the first 4 lines of the post. IN those files search for umask() and you'll see it.
I have escalated this ticket to our 2nd tier of support where our 2nd tier specialists will take a deeper look at this code and I will get back to you as soon as I get an answer from them.
Our 2nd tier specialists looked in to this and they found that we are not setting any umask (No argument in a function) we are just getting current umask and subtracting from the permission i.e. 0755 to respect current umask.
Yes, but that is wrong. WordPress already handles permissions itself. You should not be using umask at all, as you're creating files with a permission that does not necessarily match what users want their WP files to be created with.
files should be created with permission 644 for files and 755 for directories (or whatever FS_CHMOD_FILE and FS_CHMOD_DIR are set to) which is the default anyway => if you do not pass the $mode parameter, WP will do this by default
You just need to remove the parameter you pass, so WP will handle that
