php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #77022 prose@zedcore.com
Submitted: 2018-10-16 09:23 UTC Modified: 2018-12-03 14:17 UTC
From: prose at zedcore dot com Assigned: stas (profile)
Status: Closed Package: PHAR related
PHP Version: 7.1.23 OS:
Private report: No CVE-ID: None
 [2018-10-16 09:23 UTC] prose at zedcore dot com
Description:
------------
When using PharData to create a Tar archive and then extracting it, the umask is not respected and/or the permissions of the original file are not either.

If the tar utility is used to either create or extract the file, then the permissions are preserved.

As the composer library uses this to create archives of dependencies that it then installs, it opens up the chance for someone to edit

Test script:
---------------
// Also available at 3v4l - https://3v4l.org/PO3hN

var_dump(decoct(umask()));

$sFile = tempnam('/tmp', 'test');
var_dump(decoct(stat($sFile)['mode']));

$phar = new \PharData('/tmp/test.tar', null, null, \Phar::TAR);
$phar->addFile($sFile, 'test-file-phar');
$phar->extractTo('/tmp/');

var_dump(decoct(stat('/tmp/test-file-phar')['mode']));

Expected result:
----------------
The last two var_dumps should give the same file permissions

Actual result:
--------------
The second var_dump gives 100666 instead of 100600

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-11-26 11:17 UTC] prose at zedcore dot com
Hi - sorry to chase this. Has this been triaged at all? We have a workaround in place, but it'd be great if it could be fixed since the workaround requires us to run chmod after each composer install.
 [2018-12-02 03:47 UTC] stas@php.net
Looks like when creating a new tar file phar always uses default permissions - 0666. It's probably not right if the file already existed. If it did not, using umask probably makes sense, since it essentially creates new file's permissions.
 [2018-12-02 05:02 UTC] stas@php.net
-Summary: PharData ignores umask +Summary: PharData always creates new files with mode 0666
 [2018-12-02 05:20 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2018-12-02 05:50 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2018-12-02 05:50 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=69f5e7992bfc239e42a3a82e290399ca75bc56a6
Log: Fix bug #77022 - use file mode or umask for new files
 [2018-12-02 05:50 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b1446521d7aaf0d5b265d19c3beccb8e648290ec
Log: Fix bug #77022 - use file mode or umask for new files
 [2018-12-03 11:25 UTC] prose at zedcore dot com
-Summary: PharData always creates new files with mode 0666 +Summary: prose@zedcore.com
 [2018-12-03 11:25 UTC] prose at zedcore dot com
Alright then. I've notice you've closed this but I don't think it's fixed? Should I open a non-Security bug?
 [2018-12-03 14:01 UTC] cmb@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0f658b38e854191d98a6715b278c0c9c8a7a0e68
Log: Fix bug #77022 - use file mode or umask for new files
 [2018-12-03 14:04 UTC] cmb@php.net
What's wrong with the fix?
 [2018-12-03 14:17 UTC] prose at zedcore dot com
Whoops! Sorry! I didn't get notified that there was a git commit attached as well, and I'm new to this interface.

Thanks for the fix!
 [2018-12-04 16:25 UTC] pollita@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8852e24a9819319844cd165855e7efb46be3c9c5
Log: Fix bug #77022 - use file mode or umask for new files
 [2018-12-04 16:45 UTC] pollita@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=80ea25c28d9139e237fd65c0a0f2aa87385e03e4
Log: Fix bug #77022 - use file mode or umask for new files
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Mon Dec 10 08:01:24 2018 UTC