Ticket #950 (closed Bug: fixed)

Opened 14 months ago

Last modified 5 months ago

File permissions of created connector files insecure

Reported by: tallyce Owned by:
Priority: Normal Milestone:
Component: File Browser Version: FCKeditor 2.4.3
Keywords: Discussion Cc:

Description

The uploader in PHP contains multiple instances of

chmod( $sFilePath, 0777 ) ;

for uploaded files or directory creations.

Can I suggest this be changed to 0774. I can't think of any reason why the very insecure o+w should be enabled. 0770 would be preferable, but I guess there could be webservers that have the webserver process not in the main user/group.

Change History

Changed 14 months ago by alfonsoml

Different people will have different needs and so I think that the best solution would be to make those permissions a setting in the config.php file, trying to be safe by default and allowing the people to adjust to even stricter settings or relaxing in order to work in that host.

Now the question would be what are good defaults for both new directories and new files.

Changed 13 months ago by tallyce

I agree that is a sensible solution.

However, again, I can see no reason whatsoever why o+w (or even o+rw for that matter) should be enabled.

So I propose 0770, or 0774 if that's really not acceptable. But definitely NOT 0777 as that's just asking for trouble.

Changed 13 months ago by fredck

  • keywords Discussion added
  • milestone deleted

If I'm not wrong, execute permissions are needed to list directories, right? Just set the permissions to 0666 and you will see that the file browser will not work.

The fact is that I've faced many shared hosting installations where the web user is not part of Group, so 0777 is required.

I agree with Alfonso that this should be something configurable instead (default to 0777 in any case). If we agree with it, we can open a dedicated ticket for each server side implementation that uses chmod: PHP, Perl and Python.

Changed 12 months ago by tallyce

The fact is that I've faced many shared hosting installations where the web user is not part of Group, so 0777 is required.

Gosh, poor customers on such hosting!

Does the web user in such cases actually need write access? 0775 would be better in such cases. I could certainly live with that.

If not, I think that this really must be configurable, on security grounds. 0777 is pretty insecure for hosts that actually are set up in a sane manner.

Changed 6 months ago by wwalc

I agree that it is something that should be configurable, I have created new tickets for it: #1871 #1872 #1873.

Changed 6 months ago by wwalc

  • status changed from new to closed
  • resolution set to fixed

Changed 5 months ago by tallyce

Thank you for fixing this in 2.6 - it is a great improvement, especially since it is also now configurable. Works perfectly.

Note: See TracTickets for help on using tickets.