Merge pull request #46 from ashnazg/mkdir-perms

mcdruid · web-flow · commit 32ef9ea2bc57 · 2024-01-29T20:32:49.000Z
use 775 default for mkdirs, to avoid world-write
diff --git a/Archive/Tar.php b/Archive/Tar.php
@@ -2115,7 +2115,7 @@ public function _extractList(
                 if ($v_extract_file) {
                     if ($v_header['typeflag'] == "5") {
                         if (!@file_exists($v_header['filename'])) {
-                            if (!@mkdir($v_header['filename'], 0777)) {
+                            if (!@mkdir($v_header['filename'], 0775)) {
                                 $this->_error(
                                     'Unable to create directory {'
                                     . $v_header['filename'] . '}'
@@ -2448,7 +2448,7 @@ public function _dirCheck($p_dir)
             return false;
         }
 
-        if (!@mkdir($p_dir, 0777)) {
+        if (!@mkdir($p_dir, 0775)) {
             $this->_error("Unable to create directory '$p_dir'");
             return false;
         }
diff --git a/tests/dir_permissions.phpt b/tests/dir_permissions.phpt
@@ -0,0 +1,22 @@
+--TEST--
+test permissions of created dirs
+--SKIPIF--
+--FILE--
+<?php
+require_once dirname(__FILE__) . '/setup.php.inc';
+umask('000'); // force default to 777 to confirm we create tighter
+$tar = new Archive_Tar(dirname(__FILE__) . '/dir_permissions.tar');
+$tar->extract('', true);
+$phpunit->assertNoErrors('after');
+echo substr(sprintf('%o', fileperms('dir_permissions')), -4), PHP_EOL;
+echo 'tests done';
+?>
+--CLEAN--
+<?php
+unlink('dir_permissions/a.txt');
+unlink('dir_permissions/b.txt');
+rmdir('dir_permissions');
+?>
+--EXPECT--
+0775
+tests done
diff --git a/tests/dir_permissions.tar b/tests/dir_permissions.tar
