#950 closed Bug (fixed)
File permissions of created connector files insecure
Reported by: | Thomas Tallyce | Owned by: | |
---|---|---|---|
Priority: | Normal | Milestone: | |
Component: | File Browser | Version: | FCKeditor 2.4.3 |
Keywords: | Discussion | Cc: |
Description
The uploader in PHP contains multiple instances of
chmod( $sFilePath, 0777 ) ;
for uploaded files or directory creations.
Can I suggest this be changed to 0774. I can't think of any reason why the very insecure o+w should be enabled. 0770 would be preferable, but I guess there could be webservers that have the webserver process not in the main user/group.
Change History (7)
comment:1 Changed 17 years ago by
comment:2 Changed 17 years ago by
I agree that is a sensible solution.
However, again, I can see no reason whatsoever why o+w (or even o+rw for that matter) should be enabled.
So I propose 0770, or 0774 if that's really not acceptable. But definitely NOT 0777 as that's just asking for trouble.
comment:3 Changed 17 years ago by
Keywords: | Discussion added |
---|---|
Milestone: | FCKeditor 2.5 |
If I'm not wrong, execute permissions are needed to list directories, right? Just set the permissions to 0666 and you will see that the file browser will not work.
The fact is that I've faced many shared hosting installations where the web user is not part of Group, so 0777 is required.
I agree with Alfonso that this should be something configurable instead (default to 0777 in any case). If we agree with it, we can open a dedicated ticket for each server side implementation that uses chmod: PHP, Perl and Python.
comment:4 Changed 17 years ago by
The fact is that I've faced many shared hosting installations where the web user is not part of Group, so 0777 is required.
Gosh, poor customers on such hosting!
Does the web user in such cases actually need write access? 0775 would be better in such cases. I could certainly live with that.
If not, I think that this really must be configurable, on security grounds. 0777 is pretty insecure for hosts that actually are set up in a sane manner.
comment:5 Changed 17 years ago by
comment:6 Changed 17 years ago by
Resolution: | → fixed |
---|---|
Status: | new → closed |
comment:7 Changed 16 years ago by
Thank you for fixing this in 2.6 - it is a great improvement, especially since it is also now configurable. Works perfectly.
Different people will have different needs and so I think that the best solution would be to make those permissions a setting in the config.php file, trying to be safe by default and allowing the people to adjust to even stricter settings or relaxing in order to work in that host.
Now the question would be what are good defaults for both new directories and new files.