#402: AgaviUploadedFile::move() creates world writeable files and directories by
default
--------------------------------------------+-------------------------------
Reporter: [EMAIL PROTECTED] | Owner: david
Type: defect | Status: new
Priority: normal | Milestone:
Component: request | Version: HEAD
Severity: normal | Keywords: world writeable,
upload file, AgaviUploadedFile
--------------------------------------------+-------------------------------
The move() method in AgaviUploadedFile has default file permissions of
0666 and default directory permissions of 0777, thus creating world
writeable files and directories. This is a security problem and should be
fixed. Either setting the permissions to group writeable or by inheriting
the permissions of the parent directory.
In the move method is an unused variable:
{{{
if(!is_readable($directory)) {
$fmode = 0777;
}}}
the variable $fmode is never used in this method and thus should be
removed.
--
Ticket URL: <http://trac.agavi.org/ticket/402>
Agavi <http://www.agavi.org/>
An MVC Framework for PHP5
_______________________________________________
Agavi Tickets Mailing List
[email protected]
http://lists.agavi.org/mailman/listinfo/tickets
