https://bugzilla.wikimedia.org/show_bug.cgi?id=34945
Web browser: ---
Bug #: 34945
Summary: LocalSettings.php readable by other users
Product: MediaWiki
Version: 1.16.5
Platform: All
OS/Version: All
Status: NEW
Severity: critical
Priority: Unprioritized
Component: Installation
AssignedTo: [email protected]
ReportedBy: [email protected]
CC: [email protected]
Classification: Unclassified
Mobile Platform: ---
Description of problem:
[viktor@alex wiki]$ cd /var/www/wiki/
[viktor@alex wiki]$ ls -l LocalSettings.php
-rw-rw-rw-. 1 apache apache 4343 Mar 4 03:38 LocalSettings.php
LocalSetting.php is readable and writeable by all local users. Since this file
may contain data-base credentials it shouldn't be globally-writeable.
I'm not sure wether the wikimedia-installtaion script generates this file, so
it may not be fixable in the rpm-package (I'm using the rpm provided by
FedoraCore16), but in the mediawiki-source.
As far as I understood the error is in installer/LocalSettingsGenerator.php
[1];
142 /**
143 * Write the generated LocalSettings to a file
144 *
145 * @param $fileName String Full path to filename to write to
146 */
147 public function writeFile( $fileName ) {
148 file_put_contents( $fileName, $this->getText() );
149 }
The file_put_contents-call seems to use the default umask.
[1] which i took from:
svn.wikimedia.org/viewvc/mediawiki/trunk/phase3/includes/installer/LocalSettingsGenerator.php
Since I'm not a PHP-programmer, I hope someone with more knowdlege can confirm
my observation (maybe with an fresh install from svn).
regards
Viktor
Version-Release number of selected component (if applicable):
1.16.5-59.fc16
--
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
