[pmwiki-users] Uploaded files world readable!?
Patrick R. Michaud
pmichaud at pobox.com
Sun Dec 30 20:23:23 CST 2012
On Mon, Dec 31, 2012 at 01:48:14AM +0100, Petko Yotov wrote:
> The second argument 0444 causes world read permissions always, not
> sometimes. No matter if the file owner and the directory owner are
> the same or in the same group or not.
Ah, I didn't remember that.
According to the SVN log, this is one of the oldest changes made to
PmWiki (Nov 2004). The original problem appeared to be with PHP's
move_uploaded_file() function, which would always leave files with
0600 permissions, which meant the account owner could not view or
otherwise manipulate the files.
Of course, this was with whatever version of PHP was available at the
time, it's entirely likely that PHP's upload ownership/permissions
model has changed since then.
> Patrick, do you think this second argument should be made modifiable
> by a wiki admin? And should it be 0444 by default or O?
I'm okay with it being an admin-modifiable value. It should continue
to default to 0444, at least until we can figure out exactly why it
was forced to 0444 in 2004 and can be certain that changing it to
zero won't cause lots of problems for people on older PHPs or in
various ISP setups.
Pm
More information about the pmwiki-users
mailing list