search

DavidBruchmann / typo3_forum

An Extbase-based TYPO3 Extension which is called typo3_forum. This fork is working in TYPO3 Version 8 and under development. Testing, Issue-reports and Pull-requests are welcome!
https://www.tukani.de
GNU General Public License v2.0
2 stars 2 forks source link

[SECURITY] AttachmentService creates directory with 777-permissions #42

Closed schams-net closed 5 years ago

schams-net commented 6 years ago

If the upload directory for attachments does not exist (yet), the AttachmentService creates a new directory automatically. It uses mode 0777, which is the widest possible access and therefore a possible security issue, depending on the server setup.

Class Mittwald\Typo3Forum\Service\AttachmentService:

[...]
//Create dir if not exists
$tca = $attachmentObj->getTCAConfig();
$path = $tca['columns']['real_filename']['config']['uploadfolder'];
if (!file_exists($path)) {
  mkdir($path, 0777, true);
}
[...]
DavidBruchmann commented 6 years ago

There exists an API call to set the rights according to settings, right?

DavidBruchmann commented 6 years ago

lowered access rights with 69bfa81 but still no API usage