As our GO installation runs with a specific uid and gid we use
to prevent other system users from accessing the stored data. This works nice as long as files are uploaded using the webinterface. As soon as fileupload is made by WebDAV files are created with 0666 and directories with 0777 which causes quite a big security issue.
We've fixed this problem temporary with the following patch:
--- go/GO.php +++ go/GO.php @@ -536,7 +536,7 @@ self::_undoMagicQuotes(); //set umask to 0 so we can create new files with mask defined in GO::config()->file_create_mode - umask(0); + umask(0027); //We use UTF8 by default. if (function_exists('mb_internal_encoding'))
As the umask is now hard coded (and will be reverted by the next update) it would be great if you could add a config option 'file_umask' which also changes the WebDAV permissions.
Bug was tested with version 5.0.5 (could you please add milestone 5.x to the list of available releases in the bug tracker?)