2018-07-21 23:31 PDT

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0000321v1.2 Release (Closed)[All Projects] Generalpublic2009-12-08 19:02
Reportermadumlao 
Assigned Tocaseydk 
PrioritynormalSeverityminorReproducibilityalways
StatusclosedResolutionfixed 
Product Version 
Target VersionFixed in Version1.2 
Summary0000321: web2project files uploading demands 777 permissions when it could do with less
Descriptionin modules/files/addedit.php, the line that checks whether web2project can write to the files dir demands the files dir to have 777 permissions. This is not necessary and exposes the files dir to read/write access by other users on the server.
Additional InformationThe preferred way to do this is using the php is_writable/readable/executable() functions on the files directory, because this directly tests the application'saccess, rather than indirectly compares the directory's permissions. 777 should be avoided when possible.

Attached file just swaps out the long permission check in adedit.php with an is_writable call.
TagsNo tags attached.
Attached Files
  • diff file icon addedit.php.diff (1,073 bytes) 1969-12-31 16:00 -
    *** modules/files/addedit.php	1970-01-01 17:13:08.000000000 +0800
    --- modules/files/addedit.php.mod	2009-12-02 01:05:29.000000000 +0800
    ***************
    *** 248,254 ****
      			</td>
      			<td align="right">
      				<?php
    ! 				if (substr(sprintf('%o', fileperms(W2P_BASE_DIR.'/files')), -4) == '0777') {
      					?><input type="button" class="button" value="<?php echo $AppUI->_('submit'); ?>" onclick="submitIt()" /><?php
      				} else {
      					?><span class="error">File uploads not allowed. Please check permissions on the /files directory.</span><?php
    --- 248,254 ----
      			</td>
      			<td align="right">
      				<?php
    ! 				if (is_writable(W2P_BASE_DIR.'/files')) {
      					?><input type="button" class="button" value="<?php echo $AppUI->_('submit'); ?>" onclick="submitIt()" /><?php
      				} else {
      					?><span class="error">File uploads not allowed. Please check permissions on the /files directory.</span><?php
    ***************
    *** 257,260 ****
      			</td>
      		</tr>
      	</table>
    ! </form>
    \ No newline at end of file
    --- 257,260 ----
      			</td>
      		</tr>
      	</table>
    ! </form>
    
    diff file icon addedit.php.diff (1,073 bytes) 1969-12-31 16:00 +

-Relationships
+Relationships

-Notes

~0000617

caseydk (administrator)

Awesome, you're my hero.

I've been concerned about this one but haven't been able to get to it. I'll review this one and merge/offer feedback asap.

~0000618

caseydk (administrator)

Resolved as described in r827;
+Notes

-Issue History
Date Modified Username Field Change
2009-12-01 08:11 madumlao New Issue
2009-12-01 08:11 madumlao File Added: addedit.php.diff
2009-12-01 09:30 caseydk Note Added: 0000617
2009-12-02 14:37 caseydk Status new => resolved
2009-12-02 14:37 caseydk Resolution open => fixed
2009-12-02 14:37 caseydk Assigned To => caseydk
2009-12-02 14:37 caseydk Note Added: 0000618
2009-12-02 14:37 caseydk Project v1.1 Release (Closed) => v1.2 Release (Closed)
2009-12-08 19:02 caseydk Status resolved => closed
2009-12-08 19:02 caseydk Fixed in Version => 1.2
+Issue History