diff options
| author |  Alexandre Alapetite <alexandre@alapetite.fr>
| 2023-02-06 15:42:53 +0100 |
|---|---|---|
| committer |  GitHub <noreply@github.com>
| 2023-02-06 15:42:53 +0100 |
| commit | e899e4edd97c296a29b2a8da2c2e3b598622c36e (patch) | |
| tree | 3a1c0f3afe381ffc7e7954fd0e2e8cc43e8a54fe /app/Controllers/userController.php | |
| parent | de2077b56388c5196d5c1ddcbbd4a141ea8cf67b (diff) | |
More robust application of access permissions (#5062)
* More robust application of access permissions
We were in particular missing directory traversal `+X` in our current recommendations.
Extracted to own shell script so it can easily be invoked.
Update access permissions in Docker to account to be more robust.
#fix https://github.com/FreshRSS/FreshRSS/discussions/5037
* Minor simplification
* Restrict mkdir permissions
Default mkdir permissions are 0777, which is not good for security, so downgrade to 0770.
Diffstat (limited to 'app/Controllers/userController.php')
| -rw-r--r-- | app/Controllers/userController.php | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/app/Controllers/userController.php b/app/Controllers/userController.php index 55b4ca7cb..ac8f3be82 100644 --- a/app/Controllers/userController.php +++ b/app/Controllers/userController.php @@ -242,7 +242,7 @@ class FreshRSS_user_Controller extends FreshRSS_ActionController { } if ($ok) { if (!is_dir($homeDir)) { - mkdir($homeDir); + mkdir($homeDir, 0770, true); } $ok &= (file_put_contents($configPath, "<?php\n return " . var_export($userConfig, true) . ';') !== false); } |