-
-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security: Create new files without execution permission #2809
Comments
Signed-off-by: Michael Mayer <michael@photoprism.app>
@nekr0z Would you be able to test this for us? No CLA required 😉 |
Sure, will give the preview a try as soon as I have time (most likely, on Friday or Saturday), will report back as soon as. |
Closed already, but FWIW everything looks good: imports, sidecars, config (I haven't tested album YAMLs yet, but no reason to think they'd behave differently). |
Thank you! Yeah, closed, since we already released it and of course tested it ourselves as well. |
Files created by PhotoPrism, such as the imported files ending up in the "originals" directory, album YAMLs under "storage/albums/folder", YAMLs under "storage/sidecar" folder, and many other, are created with executable bit set in permissions.
Steps to reproduce:
Expected behavior:
The created files don't have the executable bit set unless they are executables.
Likely cause of the problem:
photoprism/internal/photoprism/mediafile.go
Line 687 in 69682de
photoprism/pkg/fs/copy.go
Line 30 in 69682de
os.ModePerm
that is0o777
; need to use0o666
, since the file created is not intended to be an executable in either case.The text was updated successfully, but these errors were encountered: