From d8b828e738d9629c63fda2a512294dba1cde787e Mon Sep 17 00:00:00 2001 From: Lucas D Hedding Date: Mon, 24 Jun 2013 08:32:45 -0500 Subject: [PATCH] Issue #1908440 by chx, clemens.tolboom, Cottser, effulgentsia: Fixed CM permission settings by FileStorage make commandline tools like drush unusable. --- core/lib/Drupal/Component/PhpStorage/FileStorage.php | 4 ++-- .../Component/PhpStorage/MTimeProtectedFastFileStorage.php | 12 ++++++------ .../Component/PhpStorage/MTimeProtectedFileStorageTest.php | 3 +-- 3 files changed, 9 insertions(+), 10 deletions(-) diff --git a/core/lib/Drupal/Component/PhpStorage/FileStorage.php b/core/lib/Drupal/Component/PhpStorage/FileStorage.php index d588af4..1ec6e45 100644 --- a/core/lib/Drupal/Component/PhpStorage/FileStorage.php +++ b/core/lib/Drupal/Component/PhpStorage/FileStorage.php @@ -55,7 +55,7 @@ public function save($name, $code) { $path = $this->getFullPath($name); $dir = dirname($path); if (!file_exists($dir)) { - mkdir($dir, 0700, TRUE); + mkdir($dir, 0711, TRUE); } return (bool) file_put_contents($path, $code); } @@ -109,7 +109,7 @@ public function deleteAll() { protected function unlink($path) { if (file_exists($path)) { // Ensure the file / folder is writable. - chmod($path, 0700); + @chmod($path, 0711); if (is_dir($path)) { $dir = dir($path); while (($entry = $dir->read()) !== FALSE) { diff --git a/core/lib/Drupal/Component/PhpStorage/MTimeProtectedFastFileStorage.php b/core/lib/Drupal/Component/PhpStorage/MTimeProtectedFastFileStorage.php index 4d564fb..c229423 100644 --- a/core/lib/Drupal/Component/PhpStorage/MTimeProtectedFastFileStorage.php +++ b/core/lib/Drupal/Component/PhpStorage/MTimeProtectedFastFileStorage.php @@ -107,7 +107,7 @@ public function save($name, $data) { $i = 0; while (($mtime = $this->getUncachedMTime($directory)) && ($mtime != $previous_mtime)) { $previous_mtime = $mtime; - chmod($directory, 0700); + @chmod($directory, 0711); // Reset the file back in the temporary location if this is not the first // iteration. if ($i > 0) { @@ -121,10 +121,10 @@ public function save($name, $data) { $full_path = $this->getFullPath($name, $directory, $mtime); rename($temporary_path, $full_path); - // Leave the directory neither readable nor writable. Since the file + // Leave the directory writable and traversable. Since the file // itself is not writable (set to 0400 at the beginning of this function), // there's no way to tamper with it without access to change permissions. - chmod($directory, 0100); + chmod($directory, 0333); $i++; } return TRUE; @@ -147,9 +147,9 @@ public function delete($name) { */ protected function ensureDirectory() { if (!file_exists($this->directory)) { - mkdir($this->directory, 0700, TRUE); + mkdir($this->directory, 0711, TRUE); } - chmod($this->directory, 0700); + @chmod($this->directory, 0711); $htaccess_path = $this->directory . '/.htaccess'; if (!file_exists($htaccess_path) && file_put_contents($htaccess_path, self::HTACCESS)) { @chmod($htaccess_path, 0444); @@ -163,7 +163,7 @@ protected function ensureDirectory() { * The directory to be emptied out. */ protected function cleanDirectory($directory) { - chmod($directory, 0700); + @chmod($directory, 0711); foreach (new DirectoryIterator($directory) as $fileinfo) { if (!$fileinfo->isDot()) { $this->unlink($fileinfo->getPathName()); diff --git a/core/tests/Drupal/Tests/Component/PhpStorage/MTimeProtectedFileStorageTest.php b/core/tests/Drupal/Tests/Component/PhpStorage/MTimeProtectedFileStorageTest.php index 355b248..4ad42b9 100644 --- a/core/tests/Drupal/Tests/Component/PhpStorage/MTimeProtectedFileStorageTest.php +++ b/core/tests/Drupal/Tests/Component/PhpStorage/MTimeProtectedFileStorageTest.php @@ -72,7 +72,7 @@ function testSecurity() { // permissions, so mask with 0777. $this->assertTrue(file_exists($expected_filename)); $this->assertSame(fileperms($expected_filename) & 0777, 0400); - $this->assertSame(fileperms($expected_directory) & 0777, 0100); + $this->assertSame(fileperms($expected_directory) & 0777, 0333); // Ensure the root directory for the bin has a .htaccess file denying web // access. @@ -84,7 +84,6 @@ function testSecurity() { // a second of the initial save(). sleep(1); for ($i = 0; $i < 2; $i++) { - $storageFactory = new PhpStorageFactory(); $php = $this->storageFactory->get('simpletest'); $GLOBALS['hacked'] = FALSE; $untrusted_code = "