[pmwiki-users] Uploaded files world readable!?
5ko at 5ko.fr
Sun Dec 30 18:48:14 CST 2012
Patrick R. Michaud writes:
> On Wed, Dec 26, 2012 at 08:21:56PM +0100, Oliver Betz wrote:
> > upload.php uses "fixperms($filepath,0444);", therefore uploaded files
> > get world read access, correct?
> > Why is this needed?
> The fixperms() function detects when this occurs and makes sure
> that the account that installed PmWiki always retains appropriate
> permissions to any files that are uploaded. Sometimes the only
> way to do this is by adding world read permissions.
The second argument 0444 causes world read permissions always, not
sometimes. No matter if the file owner and the directory owner are the same
or in the same group or not.
I assume that on some installations, one can have the FTP account, the the
PHP CGI/FastCGI process and the HTTP server all 3 different owners, and if
the server doesn't have read permissions, visitors will see the error 403
OTOH, I know some hosting providers where all FTP/SSH accounts are in the
"users" group, and all files must have no permission for that group or there
is an internal server error. The server process is not in the same group, so
all files should have 0404 or O606 permissions. This allows both the SSH
owner and the server to read or modify the files, but an SSH user cannot
see or modify the files of another SSH user.
Patrick, do you think this second argument should be made modifiable by a
wiki admin? And should it be 0444 by default or O?
The function fixperms() is only called with a second argument from
upload.php. This second argument was added in version 2.0.devel27 (25-
> > BTW: There is no "fixperms" for "Mini" thumbnails.
Both Thumblist and Mini don't use the fixperms() function for the
thumbnails. Indeed, since 2006, nobody has told me there was a problem with
permissions. But also, both recipes provide a way to remove the thumbnails
from within the wiki with ?action=purgethumbs so probably nobody needed
> There probably should be, although PHP installations running under
> "nobody" accounts are becoming far less common (and this is a
> very good thing IMO).
I'll add it, but without a second argument for now.
More information about the pmwiki-users