Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

#1594 wrong file permissions when using WebDAV

v4.x
closed
nobody
1
2013-10-02
2013-09-17
Elmo
No

As our GO installation runs with a specific uid and gid we use

$config['file_create_mode']='0640';
$config['folder_create_mode']='0750';

to prevent other system users from accessing the stored data. This works nice as long as files are uploaded using the webinterface. As soon as fileupload is made by WebDAV files are created with 0666 and directories with 0777 which causes quite a big security issue.

We've fixed this problem temporary with the following patch:


--- go/GO.php
+++ go/GO.php
@@ -536,7 +536,7 @@
                        self::_undoMagicQuotes();

                        //set umask to 0 so we can create new files with mask defined in GO::config()->file_create_mode
-                       umask(0);
+                       umask(0027);

                        //We use UTF8 by default.
                        if (function_exists('mb_internal_encoding'))

As the umask is now hard coded (and will be reverted by the next update) it would be great if you could add a config option 'file_umask' which also changes the WebDAV permissions.

Bug was tested with version 5.0.5 (could you please add milestone 5.x to the list of available releases in the bug tracker?)

Discussion

  • I've solved this by using the framework functions in the dav file put function:

    $file = new GO_Base_Fs_File($this->path);
    $file->putContents($data);

    this will set correct permissions.

     
    • status: open --> closed