Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
PHP files should not have execution permissions to avoid security problems.
Proposed resolution
Use the find command on the Drupal 8 HEAD to find if there is any PHP or static file (PNG,SVG,GIF,JPG) outside the core with execution permissions. The PHP files should have their execution permissions revoked and should remain as 644.
Remaining tasks
N/A
User interface changes
N/A
API changes
N/A
Original report by @alexpott
Comment | File | Size | Author |
---|---|---|---|
#12 | fix_file_permission-2401919-12.patch | 1.05 KB | icampana |
#2 | file-permission-once-more.patch | 737 bytes | jibran |
d8.file-perms.patch | 3.1 KB | alexpott | |
Comments
Comment #1
ParisLiakos CreditAttribution: ParisLiakos commentedwe shouldnt touch vendor, right?
Comment #2
jibranremoved core/vendor/ and i think svgs can be executable.
Comment #5
Samshel CreditAttribution: Samshel commentedI'm at Drupal con #LatinAmerica2015.
Checked the files permissions listed on comment #2's patch before applying it on head version of Drupal 8. All the files had Execute permissions.
Applied patch posted on comment #2. Files no longer have Execute permissions.
Patch worked correctly.
Comment #6
ParisLiakos CreditAttribution: ParisLiakos commentednah. why would one need to execute an svg ;)
Comment #7
icampanaI'm also at Drupal Con #LatinAmerica2015
I used the find command on Linux to find if the issue was still present on the latest Drupal 8 version, checked HEAD and still existed. In case you need to make that sort of revision again, we are excluding the core folder as pointed out by ParisLiakos, the command I used is:
find -executable -name '*.php' | grep -v "core/vendor"
The result is:
After applying the patch in number #2 and re-running the command the issue seems to be gone, so I think it's ready to be commited.
Comment #8
xavier.cabrera CreditAttribution: xavier.cabrera commentedI am also in DrupalCon LatinAmerica2015 and I also confirmed the RTBC works.
Comment #9
alejandrovaras CreditAttribution: alejandrovaras commentedComment #10
alexpottWe should be fixed the svgs that are not in vendor as well.
Comment #11
icampanaComment #12
icampanaI included regular files, so that even the static files (svg, gif, jpg, css, etc) don't get included if they have those permissions, the updated command is the following:
find ./ -regextype posix-awk -regex "(.*.php|.*.jpg|.*.png|.*.gif|.*.css|.*.svg*)" -executable -type f | grep -v "core/vendor"
You can change the permissions on the fly by using a call to xargs:
find ./ -regextype posix-awk -regex "(.*.php|.*.jpg|.*.png|.*.gif|.*.css|.*.svg*)" -executable -type f | grep -v "core/vendor" | xargs chmod a-x
I include the updated patch for review.
Comment #13
ParisLiakos CreditAttribution: ParisLiakos commentedyes, that seems to do the trick
Thanks!
Comment #14
jibranO ya my bad :) svg can have JS but it doesn't have to be executable.
Comment #16
webchickNice catch, thanks for the fixes, and for all the thorough research!
Committed and pushed to 8.0.x. Thanks!