verify-checksums does not list all added files about checksum-command HOT 9 CLOSED

@axos88 The root folder of a WordPress installation can include all sorts of custom files, like config or .env files, analytics verification files, error logs, ...

There's no way to know which files are legit and which ones are not.

That's why WP-CLI has special behavior for the root folder and only checks files that start with wp- in that folder. If you write your foo.txt into wp-admin/ or wp-includes/, it should be detected.

from checksum-command.

Actually introducing the .wp-ignore file would give way to implementing wp core verify-checksums --fix.

from checksum-command.

Same behaviour on 2.4.0:

OS:	Linux webfe.akosv.com 3.13.0-147-generic #196-Ubuntu SMP Wed May 2 15:51:34 UTC 2018 x86_64
Shell:	/bin/bash
PHP binary:	/usr/bin/php5
PHP version:	5.5.9-1ubuntu4.29
php.ini used:	/etc/php5/cli/php.ini
WP-CLI root dir:	phar://wp-cli.phar/vendor/wp-cli/wp-cli
WP-CLI vendor dir:	phar://wp-cli.phar/vendor
WP_CLI phar path:	/var/www/wordpress/<snip>
WP-CLI packages dir:	
WP-CLI global config:	
WP-CLI project config:	
WP-CLI version:	2.4.0

from checksum-command.

@axos88 You run file creation as root but wp core verify-checksums as www-data. IMHO wrong result of wp core verify-checksums is caused by permissions issue. Try with files created by www-data.

from checksum-command.

Ha. Nice catch, didn't even think about that.

But it's not the issue (tested it), nor should it actually cause any issues (if it did, it would be another bug imho), as long as www-data can read those files. And if it can't then it should also say that there are files that cannot be read.

wp-foo.php shows up though. WTF?

# sudo -u www-data touch foo.php
# sudo -u root touch wp-foo.php
# sudo -u www-data touch wp-foo2.php
# sudo -u www-data wp core verify-checksums

Warning: File should not exist: wp-foo2.php
Warning: File should not exist: wp-foo.php
Success: WordPress installation verifies against checksums.

from checksum-command.

I don't think this should be closed. These files should be listed as warnings, and not arbitrarily silently ignored. At maximum a switch should enable these files to be ignored. Even better a .wpignore file could be added.

Our system was recently infected and trashed with all sorts of files. obviously not prefixed with wp-. I didn't have any normal means to detect and remove files from the root directory.

I, as a system administrator will know which files are installed by myself, and know to ignore them, but definately want to know if anything else was added without my knowledge. The current behaviour does not allow this check.

from checksum-command.

And you are exactly on point: wp-cli should not make a decision wether a file is legit or not. It should list everything that it sees, and let the user make the decision who actually has the necessary knowledge to make the decision. Arbitrarily filtering out files that do not start with wp- means wp-cli actually IS making that decision, and incorrectly.

from checksum-command.

I strongly support the --fix flag, it saves time to properly format the files in order to put them as an argument in rm .

from checksum-command.

Hi,

I'm having kind of the same issue. While I understand that the root directory is specific and only prefixed files are verified, however I have created some file in wp-content and when I run the command they are not discovered by the verify-checksums command.

Here's a screenshot (running on macOS Monterey 12.6, wp-cli at 2.6)

from checksum-command.