mirror/FreshRSS
0
0
Fork 0
mirror of https://github.com/FreshRSS/FreshRSS.git synced 2026-05-03 12:43:10 -04:00
Code Issues Packages Projects Releases Wiki Activity

More robust application of access permissions (#5062)

Browse Source 
* More robust application of access permissions
We were in particular missing directory traversal `+X` in our current recommendations.
Extracted to own shell script so it can easily be invoked.
Update access permissions in Docker to account to be more robust.
#fix https://github.com/FreshRSS/FreshRSS/discussions/5037

* Minor simplification

* Restrict mkdir permissions
Default mkdir permissions are 0777, which is not good for security, so downgrade to 0770.
This commit is contained in:
Alexandre Alapetite
2023-02-06 15:42:53 +01:00
committed by GitHub
parent de2077b563
commit e899e4edd9
11 changed files with 36 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/Controllers/userController.php
View File

@@ -242,7 +242,7 @@ class FreshRSS_user_Controller extends FreshRSS_ActionController {
}
if ($ok) {
if (!is_dir($homeDir)) {
mkdir($homeDir);
mkdir($homeDir, 0770, true);
}
$ok &= (file_put_contents($configPath, "<?php\n return " . var_export($userConfig, true) . ';') !== false);
}