[Bug 577] New - Wrong umask setting in IMP, compose.php3 creates world writable temp file
bugs@bugs.horde.org
bugs@bugs.horde.org
Tue, 16 Jan 2001 09:56:58 -0400
http://bugs.horde.org/show_bug.cgi?id=577
*** shadow/577 Tue Jan 16 09:56:58 2001
--- shadow/577.tmp.14637 Tue Jan 16 09:56:58 2001
***************
*** 0 ****
--- 1,36 ----
+ Bug#: 577
+ Product: Horde
+ Version: 0.1 Alpha
+ Platform: PHP Code
+ OS/Version: Linux
+ Status: NEW
+ Resolution:
+ Severity: normal
+ Priority: P2
+ Component: IMP
+ Area: BUILD
+ AssignedTo: chuck@horde.org
+ ReportedBy: andreas@conectiva.com.br
+ URL:
+ Summary: Wrong umask setting in IMP, compose.php3 creates world writable temp file
+
+ compose.php3 uses copy to create the uploaded file with the .att extension. This
+ copy operation is done in php with opening the original file and creating a new
+ output file. This creation is done with mode 0777 and the umask is applied
+ automatically by the glibc.
+ On my system, this resulted in a temporary file with 662 permissions, that is,
+ world writable.
+
+ Putting an echo umask() just before that copy operation, the result was 77,
+ which seems right at first glance, but is wrong. It's 77 decimal, which is 115
+ octal and results in that world writable file.
+
+ I couldn't see where $default->umask is set besides defaults.php3.dist. If you
+ run the setup.php3 script, it (umask) doesn't make its way to defaults.php3.
+ An echo $default->umask near that copy also shows 077, which again seems to be
+ correct, but umask($default->umask) done in postconf.php3 won't work if
+ $default->umask is declared as string. It seems that PHP won't autoconvert the
+ string to octal, but to int (i.e., it will be like calling umask(77) instead of
+ umask(077)).
+ Adding $default->umask = 077; (without the ') to defaults.php3 fixed the problem
+ here.