Closed (fixed)
Project:
Drush Views
Version:
6.x-3.x-dev
Component:
Code
Priority:
Normal
Category:
Bug report
Assigned:
Reporter:
Created:
16 Mar 2010 at 15:12 UTC
Updated:
22 Apr 2012 at 14:51 UTC
Jump to comment: Most recent file
When the module creates a directory to export the views, this is the code (line 121):
@mkdir($target_path, 0777, TRUE);
This seems like a bad idea to me. The 'all' group should never have write permissions on any web server. I'd suggest a more restrictive default, 0775 at the least.
| Comment | File | Size | Author |
|---|---|---|---|
| #4 | drush_views_743970-4.patch | 1.04 KB | xjm |
Comments
Comment #1
pescetti commentedWell, whether 777 is acceptable or not depends of course on context, might be necessary in some (admittedly flawed) situations and the target dir is not necessarily under the web root.
What should be corrected is the fact that we hardcode permissions.
We could just create a dir having the same permissions as its deepest existing parent (which surely include, of course, write permissions for the current user or the export will fail anyway). Could this be a solution? This would respect whatever existing setup the user has.
Comment #2
xjmThat sounds like a good idea to me. I'll come up with a patch.
Comment #3
xjmAs I was testing my patch, I noticed that the directories are not, in fact, created with the 0777 permissions. Apparently the permissions argument is set against the current umask(), and Apache inherits the umask of the user that starts the process, typically 0022. So by default directories will be created as 0755 unless the user has already modified the environment. (This still might be more permissive than the user's chosen export directory, though.)
Comment #4
xjmAttached patch creates the directory with the permissions of the parent directory, if it exists, or of the Drupal directory if it does not.
Comment #5
xjmTested the patch; it works properly on my system.
Comment #6
pescetti commentedThanks, applied.