Opened 11 years ago

Closed 10 years ago

Last modified 10 years ago

#950 closed Bug (fixed)

File permissions of created connector files insecure

Reported by: Thomas Tallyce Owned by:
Priority: Normal Milestone:
Component: File Browser Version: FCKeditor 2.4.3
Keywords: Discussion Cc:

Description

The uploader in PHP contains multiple instances of

chmod( $sFilePath, 0777 ) ;

for uploaded files or directory creations.

Can I suggest this be changed to 0774. I can't think of any reason why the very insecure o+w should be enabled. 0770 would be preferable, but I guess there could be webservers that have the webserver process not in the main user/group.

Change History (7)

comment:1 Changed 11 years ago by Alfonso Martínez de Lizarrondo

Different people will have different needs and so I think that the best solution would be to make those permissions a setting in the config.php file, trying to be safe by default and allowing the people to adjust to even stricter settings or relaxing in order to work in that host.

Now the question would be what are good defaults for both new directories and new files.

comment:2 Changed 11 years ago by Thomas Tallyce

I agree that is a sensible solution.

However, again, I can see no reason whatsoever why o+w (or even o+rw for that matter) should be enabled.

So I propose 0770, or 0774 if that's really not acceptable. But definitely NOT 0777 as that's just asking for trouble.

comment:3 Changed 10 years ago by Frederico Caldeira Knabben

Keywords: Discussion added
Milestone: FCKeditor 2.5

If I'm not wrong, execute permissions are needed to list directories, right? Just set the permissions to 0666 and you will see that the file browser will not work.

The fact is that I've faced many shared hosting installations where the web user is not part of Group, so 0777 is required.

I agree with Alfonso that this should be something configurable instead (default to 0777 in any case). If we agree with it, we can open a dedicated ticket for each server side implementation that uses chmod: PHP, Perl and Python.

comment:4 Changed 10 years ago by Thomas Tallyce

The fact is that I've faced many shared hosting installations where the web user is not part of Group, so 0777 is required.

Gosh, poor customers on such hosting!

Does the web user in such cases actually need write access? 0775 would be better in such cases. I could certainly live with that.

If not, I think that this really must be configurable, on security grounds. 0777 is pretty insecure for hosts that actually are set up in a sane manner.

comment:5 Changed 10 years ago by Wiktor Walc

I agree that it is something that should be configurable, I have created new tickets for it: #1871 #1872 #1873.

comment:6 Changed 10 years ago by Wiktor Walc

Resolution: fixed
Status: newclosed

comment:7 Changed 10 years ago by Thomas Tallyce

Thank you for fixing this in 2.6 - it is a great improvement, especially since it is also now configurable. Works perfectly.

Note: See TracTickets for help on using tickets.
© 2003 – 2017 CKSource – Frederico Knabben. All rights reserved. | Terms of use | Privacy policy