Skip Navigation

This is the technical support forum for WPML - the multilingual WordPress plugin.

Everyone can read, but only WPML clients can post here. WPML team is replying on the forum 6 days per week, 22 hours per day.

This topic contains 7 replies, has 2 voices.

Last updated by Carlos Rojas 4 months, 2 weeks ago.

Assigned support staff: Carlos Rojas.

Author Posts
April 14, 2022 at 6:11 pm #11024015

desireeM

wpml-string-translation plugin

classes/MO/File/makeDir.php
classes/MO/Generate/GenerateMissingMOFile.php
classes/translation-files/Manager.php

You have code like:
0755 & ~ umask()

which you pass as $mode parameter to filesystem class, to set the permissions accordingly.

This is wrong & a security risk bc:
1) files should be created with permission 644 for files and 755 for directories (or whatever FS_CHMOD_FILE and FS_CHMOD_DIR are set to) which is the default anyway => if you do not pass the $mode parameter, WP will do this by default

2) additionally calling umask is a security risk in most webservers that run WP with php-fpm, see "Note" on hidden link

by just removing the mode parameter, you can fix both issues

April 18, 2022 at 12:42 am #11035929

Carlos Rojas
Supporter

Languages: English (English ) Spanish (Español )

Timezone: Europe/Madrid (GMT+02:00)

Hello,
Thank you for contacting us.

Could you provide the function or the line in the code where this problem is happening?

Regards,
Carlos

April 18, 2022 at 6:23 am #11036823

desireeM

Did you read what I wrote? I already did send what you ask for in the post above. See the first 4 lines of the post. IN those files search for umask() and you'll see it.

April 18, 2022 at 11:50 pm #11040901

Carlos Rojas
Supporter

Languages: English (English ) Spanish (Español )

Timezone: Europe/Madrid (GMT+02:00)

Hi there,
Thank you for your message.

I have escalated this ticket to our 2nd tier of support where our 2nd tier specialists will take a deeper look at this code and I will get back to you as soon as I get an answer from them.

Regards,
Carlos

May 2, 2022 at 5:07 pm #11134991

Carlos Rojas
Supporter

Languages: English (English ) Spanish (Español )

Timezone: Europe/Madrid (GMT+02:00)

Hi there,

Our 2nd tier specialists looked in to this and they found that we are not setting any umask (No argument in a function) we are just getting current umask and subtracting from the permission i.e. 0755 to respect current umask.

Regards,
Carlos

May 9, 2022 at 5:02 am #11177655

desireeM

Yes, but that is wrong. WordPress already handles permissions itself. You should not be using umask at all, as you're creating files with a permission that does not necessarily match what users want their WP files to be created with.

files should be created with permission 644 for files and 755 for directories (or whatever FS_CHMOD_FILE and FS_CHMOD_DIR are set to) which is the default anyway => if you do not pass the $mode parameter, WP will do this by default

You just need to remove the parameter you pass, so WP will handle that

May 9, 2022 at 9:49 am #11179637

Carlos Rojas
Supporter

Languages: English (English ) Spanish (Español )

Timezone: Europe/Madrid (GMT+02:00)

Hi there,
Thank you for your message.

I have shared your message with our 2nd tier specialists. I will get back to you as soon as I get an answer from them.

Regards,
Carlos

May 12, 2022 at 4:02 pm #11210545

Carlos Rojas
Supporter

Languages: English (English ) Spanish (Español )

Timezone: Europe/Madrid (GMT+02:00)

Hi,

Our developers will remove the umask call.

Regards,
Carlos