[DCOM-293] Fix security misconfiguration vulnerability allowing local…

… remote arbitrary code execution.

lib/Doctrine/ORM/Cache/Region/FileLockRegion.php

@@ -61,7 +61,7 @@ class FileLockRegion implements ConcurrentRegion
      */
     public function __construct(Region $region, $directory, $lockLifetime)
     {
-        if ( ! is_dir($directory) && ! @mkdir($directory, 0777, true)) {
+        if ( ! is_dir($directory) && ! @mkdir($directory, 0775, true)) {
             throw new \InvalidArgumentException(sprintf('The directory "%s" does not exist and could not be created.', $directory));
         }
 
@@ -242,6 +242,7 @@ public function lock(CacheKey $key)
         if ( ! @file_put_contents($filename, $lock->value, LOCK_EX)) {
             return null;
         }
+        chmod($filename, 0664);
 
         return $lock;
     }

lib/Doctrine/ORM/Tools/Console/Command/ConvertMappingCommand.php

@@ -137,7 +137,7 @@ protected function execute(InputInterface $input, OutputInterface $output)
 
         // Process destination directory
         if ( ! is_dir($destPath = $input->getArgument('dest-path'))) {
-            mkdir($destPath, 0777, true);
+            mkdir($destPath, 0775, true);
         }
         $destPath = realpath($destPath);
 

lib/Doctrine/ORM/Tools/Console/Command/GenerateProxiesCommand.php

@@ -79,7 +79,7 @@ protected function execute(InputInterface $input, OutputInterface $output)
         }
 
         if ( ! is_dir($destPath)) {
-            mkdir($destPath, 0777, true);
+            mkdir($destPath, 0775, true);
         }
 
         $destPath = realpath($destPath);

lib/Doctrine/ORM/Tools/EntityGenerator.php

@@ -364,7 +364,7 @@ public function writeEntityClass(ClassMetadataInfo $metadata, $outputDirectory)
         $dir = dirname($path);
 
         if ( ! is_dir($dir)) {
-            mkdir($dir, 0777, true);
+            mkdir($dir, 0775, true);
         }
 
         $this->isNew = !file_exists($path) || (file_exists($path) && $this->regenerateEntityIfExists);
@@ -389,6 +389,7 @@ public function writeEntityClass(ClassMetadataInfo $metadata, $outputDirectory)
         } elseif ( ! $this->isNew && $this->updateEntityIfExists) {
             file_put_contents($path, $this->generateUpdatedEntityClass($metadata, $path));
         }
+        chmod($path, 0664);
     }
 
     /**

lib/Doctrine/ORM/Tools/EntityRepositoryGenerator.php

@@ -147,11 +147,12 @@ public function writeEntityRepositoryClass($fullClassName, $outputDirectory)
         $dir = dirname($path);
 
         if ( ! is_dir($dir)) {
-            mkdir($dir, 0777, true);
+            mkdir($dir, 0775, true);
         }
 
         if ( ! file_exists($path)) {
             file_put_contents($path, $code);
+            chmod($path, 0664);
         }
     }
 

lib/Doctrine/ORM/Tools/Export/Driver/AbstractExporter.php

@@ -130,7 +130,7 @@ public function setOutputDir($dir)
     public function export()
     {
         if ( ! is_dir($this->_outputDir)) {
-            mkdir($this->_outputDir, 0777, true);
+            mkdir($this->_outputDir, 0775, true);
         }
 
         foreach ($this->_metadata as $metadata) {
@@ -139,12 +139,13 @@ public function export()
                 $path = $this->_generateOutputPath($metadata);
                 $dir = dirname($path);
                 if ( ! is_dir($dir)) {
-                    mkdir($dir, 0777, true);
+                    mkdir($dir, 0775, true);
                 }
                 if (file_exists($path) && !$this->_overwriteExistingFiles) {
                     throw ExportException::attemptOverwriteExistingFile($path);
                 }
                 file_put_contents($path, $output);
+                chmod($path, 0664);
             }
         }
     }