[Bug 577] New - Wrong umask setting in IMP, compose.php3 creates world writable temp file

[bugs@bugs.horde.org]

http://bugs.horde.org/show_bug.cgi?id=577

*** shadow/577	Tue Jan 16 09:56:58 2001
--- shadow/577.tmp.14637	Tue Jan 16 09:56:58 2001
***************
*** 0 ****
--- 1,36 ----
+ Bug#: 577
+ Product: Horde
+ Version: 0.1 Alpha
+ Platform: PHP Code
+ OS/Version: Linux
+ Status: NEW   
+ Resolution: 
+ Severity: normal
+ Priority: P2
+ Component: IMP
+ Area: BUILD
+ AssignedTo: chuck@horde.org                            
+ ReportedBy: andreas@conectiva.com.br               
+ URL: 
+ Summary: Wrong umask setting in IMP, compose.php3 creates world writable temp file
+ 
+ compose.php3 uses copy to create the uploaded file with the .att extension. This
+ copy operation is done in php with opening the original file and creating a new
+ output file. This creation is done with mode 0777 and the umask is applied
+ automatically by the glibc.
+ On my system, this resulted in a temporary file with 662 permissions, that is,
+ world writable.
+ 
+ Putting an echo umask() just before that copy operation, the result was 77,
+ which seems right at first glance, but is wrong. It's 77 decimal, which is 115
+ octal and results in that world writable file.
+ 
+ I couldn't see where $default->umask is set besides defaults.php3.dist. If you
+ run the setup.php3 script, it (umask) doesn't make its way to defaults.php3.
+ An echo $default->umask near that copy also shows 077, which again seems to be
+ correct, but umask($default->umask) done in postconf.php3 won't work if
+ $default->umask is declared as string. It seems that PHP won't autoconvert the
+ string to octal, but to int (i.e., it will be like calling umask(77) instead of
+ umask(077)).
+ Adding $default->umask = 077; (without the ') to defaults.php3 fixed the problem
+ here.