Security: Create new files without execution permission

[nekr0z]

Files created by PhotoPrism, such as the imported files ending up in the "originals" directory, album YAMLs under "storage/albums/folder", YAMLs under "storage/sidecar" folder, and many other, are created with executable bit set in permissions.

Steps to reproduce:

1. Have a photo imported.
2. Check permissions on the file that appeared in "originals".

Expected behavior:

The created files don't have the executable bit set unless they are executables.

Likely cause of the problem:

photoprism/internal/photoprism/mediafile.go

Line 687 in 69682de

destFile, err := os.OpenFile(dest, os.O_RDWR|os.O_CREATE, os.ModePerm)

and

photoprism/pkg/fs/copy.go

Line 30 in 69682de

destFile, err := os.OpenFile(dest, os.O_RDWR|os.O_CREATE, os.ModePerm)

(and maybe other places) use os.ModePerm that is 0o777; need to use 0o666, since the file created is not intended to be an executable in either case.

[lastzero]

@nekr0z Would you be able to test this for us? No CLA required 😉

[nekr0z]

@nekr0z Would you be able to test this for us? No CLA required wink

Sure, will give the preview a try as soon as I have time (most likely, on Friday or Saturday), will report back as soon as.

[nekr0z]

Closed already, but FWIW everything looks good: imports, sidecars, config (I haven't tested album YAMLs yet, but no reason to think they'd behave differently).

[lastzero]

Thank you! Yeah, closed, since we already released it and of course tested it ourselves as well.