Local storage should not store files as executable (#22162)

The PR #21198 introduced a probable security vulnerability which resulted in making all storage files be marked as executable. This PR ensures that these are forcibly marked as non-executable. Fix #22161 Signed-off-by: Andrew Thornton <art27@cantab.net>
author: zeripath <art27@cantab.net> 2022-12-19 00:50:36 +0000
committer: GitHub <noreply@github.com> 2022-12-19 08:50:36 +0800
commit: a89b399faa275c28d0ffe9759d492636f67d6da0 (patch)
tree: fef5a9e6e30fc3a37d106d84075627a0fb796d8d /modules
parent: 998fe26051514ee74bb9c2f0e7de56014933133b (diff)
download: gitea-a89b399faa275c28d0ffe9759d492636f67d6da0.tar.gz
gitea-a89b399faa275c28d0ffe9759d492636f67d6da0.zip
1 files changed, 2 insertions, 1 deletions
diff --git a/modules/storage/local.go b/modules/storage/local.go
index a439a24592..ca51d26c9a 100644
--- a/modules/storage/local.go
+++ b/modules/storage/local.go
@@ -102,7 +102,8 @@ func (l *LocalStorage) Save(path string, r io.Reader, size int64) (int64, error)
 		return 0, err
 	}
 	// Golang's tmp file (os.CreateTemp) always have 0o600 mode, so we need to change the file to follow the umask (as what Create/MkDir does)
-	if err := util.ApplyUmask(p, os.ModePerm); err != nil {
+	// but we don't want to make these files executable - so ensure that we mask out the executable bits
+	if err := util.ApplyUmask(p, os.ModePerm&0o666); err != nil {
 		return 0, err
 	}
author	zeripath <art27@cantab.net>	2022-12-19 00:50:36 +0000
committer	GitHub <noreply@github.com>	2022-12-19 08:50:36 +0800
commit	a89b399faa275c28d0ffe9759d492636f67d6da0 (patch)
tree	fef5a9e6e30fc3a37d106d84075627a0fb796d8d /modules
parent	998fe26051514ee74bb9c2f0e7de56014933133b (diff)
download	gitea-a89b399faa275c28d0ffe9759d492636f67d6da0.tar.gz gitea-a89b399faa275c28d0ffe9759d492636f67d6da0.zip