[wp-hackers] Backup plugin and writability

Scott Merrill skippy at skippy.net
Sun Jan 8 19:23:25 GMT 2006

Elliotte Harold wrote:
> Scott Merrill wrote:
>>> 1. Why is it trying to writing anything to /var/www/cafe/?
>>> /var/www/cafe/wp-content/backup-05ad9/ I understand, but /var/www/cafe
>>> shouldn't need to be written.
>> It's checking whether it can create the directory it needs.
> Then why doesn't the message mention /var/www/cafe/wp-content instead of
> /var/www/cafe ?

I can't answer this one, as these changes were put in by Matt.

>>> 2. Why isn't it using /usr/tmp for temporary files like a good Unix
>>> program?
>> WordPress is not a good UNIX program, it's a web-based application.  It
>> might be running on Windows, in which case /usr/tmp is a bogus value.
> Java has a platform independent means of finding the temporary files
> directory and creating a temporary file. Does PHP? Even if it doesn't it
> shouldn't be that hard to figure out if we're on Unix or Windows and
> choose the temporary directory accordingly.

Using a system-wide temporary directory is probably a bad idea, since
the database contains password hashes, non-public email addresses, and
possibly unpublished posts which should remain private.

The backup should be considered private, and as such should not be
spooled to any publicly accessibly directories.  Yes, I realize that the
instructions in my original plugin did encourage people to relax
permissions on their /wp-content/backup/ directory, but that was mostly
due to problems with various hosting providers.  Matt's modifications to
use /backup-<hash>/ help obfuscate the backup directory from casual

skippy at skippy.net | http://skippy.net/

gpg --keyserver pgp.mit.edu --recv-keys 9CFA4B35
506C F8BB 17AE 8A05 0B49  3544 476A 7DEC 9CFA 4B35

More information about the wp-hackers mailing list