[wp-trac] [WordPress Trac] #58541: WP_Filesystem_SSH2:put_contents (and others) does not check for $sftp_link to be up

WordPress Trac noreply at wordpress.org
Thu Jun 15 06:47:39 UTC 2023 

#58541: WP_Filesystem_SSH2:put_contents (and others) does not check for $sftp_link
to be up
----------------------------+-----------------------------
 Reporter:  jobst           |      Owner:  (none)
     Type:  defect (bug)    |     Status:  new
 Priority:  normal          |  Milestone:  Awaiting Review
Component:  Filesystem API  |    Version:
 Severity:  major           |   Keywords:  has-patch
  Focuses:                  |
----------------------------+-----------------------------
 This is a bit long, as I need to explain the reason why it is a problem
 not to check for the link '$sftp_link' to be up.

 In short: WordPress allows choosing between various FS_METHODS (wp-
 config.php), e.g. 'direct' or 'ssh2'. While neither choice will affect
 WordPress updating itself at all, it has implications when some plugins
 updating files writing content to a file (htaccess, css etc) via
 {{{
 $wp_filesystem->put_contents($file, $content);
 }}}

 The function put_contents should check whether the link is up.

 There is a big difference how one needs to setup the '$wp_filesystem'
 instance if you use 'direct' or 'ssh2' - the first one does not need to
 connect, the second needs to setup a connection before being able to
 write.

 For FS_METHODS 'direct':
 {{{
   global $wp_filesystem;
   if(empty($wp_filesystem))
   {
     require_once ABSPATH . '/wp-admin/includes/file.php';
     WP_Filesystem();
   }
   $wp_filesystem->put_contents($file, $content);
 }}}

 For FS_METHODS 'ssh2':
 {{{
   global $wp_filesystem;
   if(empty($wp_filesystem))
   {
     require_once ABSPATH . '/wp-admin/includes/file.php';
     WP_Filesystem();
     // this is the ONLY difference to 'direct'
     $wp_filesystem->connect();
   }
   $wp_filesystem->put_contents($file, $content);
 }}}

 In the file ABSPATH/wp-admin/includes/file.php (around line 2051) the
 function WP_Filesystem() simply sets up an instance of the class defined
 by FS_METHOD, but does NOT connect if FS_METHOD is set to 'ssh2'.

 Now many plugins that need to write a file (css,htacess,etc) simply assume
 that FS_METHOD is set to 'direct' or even assume WP_Filesystem() will
 connect as well.

 I have three plugins (there are more, but these are the ones I am 100%
 sure) that have problems writing
 - Ultimate Addons for Elementor
 - Astra Addons
 - Sensei

 Now I could tell those developers to do it properly.

 However I think the function $wp_filesystem->put_contents() should CHECK
 whether the link is up and if NOT, call a function within the class and
 setup the link to the server, after all I would consider this is proper
 coding pratice.
 {{{
   public function put_contents( $file, $contents, $mode = false ) {

     // so this is for people who come from the outside
     // just setting up the class and dont care whether
     // a call to "connect" is required.
     error_log("class-wp-filesystem-ssh2.php -> put_contents -> $file ");
     if(!$this->sftp_link)
     {
       error_log("class-wp-filesystem-ssh2.php link is null, connecting
 ....");
       // this function is similar to connect
       $rc = $this->build_options_connect();
     }

     // put the contents
     $ret = file_put_contents( $this->sftp_path( $file ), $contents );

     if ( strlen( $contents ) !== $ret ) {
       return false;
     }

     $this->chmod( $file, $mode );

     return true;
   }

 }}}

 The function $this->build_options_connect() sets up the required data
 structure similar to the function "request_filesystem_credentials()" in
 file ABSPATH/wp-admin/includes/file.php (around line 2250) and then sets
 up the connection similar to the function $wp_filesystem->connect() in
 file ABSPATH/wp-admin/includes/class-wp-filesystem-ssh2.php (around line
 120).

 I have done this on all of my servers for a few weeks now.
 Message like this one example (of many) below have completely disappeared.
 {{{
 [10-Jun-2023 18:25:12 UTC] PHP Warning:
 file_put_contents(ssh2.sftp:///HIDDEN/htdocs/wp-
 content/uploads/uael_uploads/.htaccess): failed to open stream: operation
 failed in /HIDDEN/htdocs/wp-admin/includes/class-wp-filesystem-ssh2.php on
 line 283
 }}}

 While I stated 'has patch' (I do), let's first see what people say about
 this.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/58541>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list