[DCOM-293] Fix security misconfiguration vulnerability that can allow…

… local arbitrary code execution.
doctrine · Aug 31, 2015 · f25c8aa · f25c8aa
1 parent f4a9170
commit f25c8aa
Showing 1 changed file with 18 additions and 4 deletions.
diff --git a/lib/Doctrine/Common/Annotations/FileCacheReader.php b/lib/Doctrine/Common/Annotations/FileCacheReader.php
@@ -56,6 +56,11 @@ class FileCacheReader implements Reader
      */
     private $classNameHashes = array();
 
+    /**
+     * @var int
+     */
+    private $umask;
+
     /**
      * Constructor.
      *
@@ -65,10 +70,19 @@ class FileCacheReader implements Reader
      *
      * @throws \InvalidArgumentException
      */
-    public function __construct(Reader $reader, $cacheDir, $debug = false)
+    public function __construct(Reader $reader, $cacheDir, $debug = false, $umask = 0002)
     {
+        if ( ! is_int($umask)) {
+            throw new \InvalidArgumentException(sprintf(
+                'The parameter umask must be an integer, was: %s',
+                gettype($umask)
+            ));
+        }
+
         $this->reader = $reader;
-        if (!is_dir($cacheDir) && !@mkdir($cacheDir, 0777, true)) {
+        $this->umask = $umask;
+
+        if (!is_dir($cacheDir) && !@mkdir($cacheDir, 0777 & (~$this->umask), true)) {
             throw new \InvalidArgumentException(sprintf('The directory "%s" does not exist and could not be created.', $cacheDir));
         }
 
@@ -206,12 +220,12 @@ private function saveCacheFile($path, $data)
             throw new \RuntimeException(sprintf('Unable to write cached file to: %s', $tempfile));
         }
 
+        @chmod($tempfile, 0666 & (~$this->umask));
+
         if (false === rename($tempfile, $path)) {
             @unlink($tempfile);
             throw new \RuntimeException(sprintf('Unable to rename %s to %s', $tempfile, $path));
         }
-
-        @chmod($path, 0666 & ~umask());
     }
 
     /**