Closed jormaster3k closed 1 year ago
Looks like the change from trim() to sanitize_file_name() on class/Common/Cli/Command.php caused this.
Hi, just checking to see if anyone can look at this? This seems like a pretty cut-and-dry bug, and was hoping it was an easy fix.
@jormaster3k the slash removal was added as a security fix, as it was potentially possible to pass malicious code through the CLI. Perhaps you can cd
into the directory within your script to export it somewhere else.
@jormaster3k the slash removal was added as a security fix, as it was potentially possible to pass malicious code through the CLI. Perhaps you can
cd
into the directory within your script to export it somewhere else.
How would that work when running wp migrate remotely via SSH (--ssh
) ? If the SSH user has a home the export seems to get dropped there but what if the SSH user has no writing rights or no home ? Losing the ability to pick up the destination path breaks down some poor-man's export workflow to local instances.
Should we just run the command over SSH instead of using the SSH flag ?
Hi folks, just following up to let you know that WP Migrate 2.6 once again allows paths to be provided with slashes so that you can write the export to a directory that is different from the one in which you are running the command.
Regarding the security concerns, we have limited the sanitization to the final part of that path after the last slash, so the sanitization still takes place but no longer prevents you from providing a path to another directory.
It appears the latest release version 2.3.3 has a regression bug in the WP CLI migratedb function that removes slashes from the output file name.
We have scripts that take the created SQL file and import it into a new database using mysql, but since the filename changed, our scripts can no longer find the file and are failing.
This is on a Ubuntu 18.04 Linux server, so we're using forward slashes in the path.
Steps To Reproduce
Use WP CLI migratedb command to export your wordpress site to a path containing forward slashes
Expected Results
The output filename is used verbatim
Observed Results
The output filename has trailing slashes removed:
Expected filename: /tmp/backup.sql Observed filename: tmpbackup.sql
I verified that this does not occur on 2.3.2, so something changed in the 2.3.3 release to break this.