Browse Source
Local storage should not store files as executable (#22162) (#22163)
Backport #22162 The PR #21198 introduced a probable security vulnerability which resulted in making all storage files be marked as executable. This PR ensures that these are forcibly marked as non-executable. Fix #22161 Signed-off-by: Andrew Thornton <art27@cantab.net> Signed-off-by: Andrew Thornton <art27@cantab.net>tags/v1.18.0
zeripath
1 year ago
1 changed files with 2 additions and 1 deletions
+ 2
- 1
modules/storage/local.go
View File
| @@ -103,7 +103,8 @@ func (l *LocalStorage) Save(path string, r io.Reader, size int64) (int64, error) | |||
| return 0, err | |||
| } | |||
| // Golang's tmp file (os.CreateTemp) always have 0o600 mode, so we need to change the file to follow the umask (as what Create/MkDir does) | |||
| if err := util.ApplyUmask(p, os.ModePerm); err != nil { | |||
| // but we don't want to make these files executable - so ensure that we mask out the executable bits | |||
| if err := util.ApplyUmask(p, os.ModePerm&0o666); err != nil { | |||
| return 0, err | |||
| } | |||
Loading…