Bug 561797: (CVE-2010-0180) [SECURITY] checksetup.pl with $suexec=1 sets

localconfig as world readable r=timello, a=mkanat

Bug 561797: (CVE-2010-0180) [SECURITY] checksetup.pl with $suexec=1 sets
92f35343 · Max Kanat-Alexander · 15fd6fe4 · 92f35343
Commit 92f35343 authored Jun 24, 2010 by Max Kanat-Alexander
Hide whitespace changes
Inline Side-by-side

Showing with 14 additions and 0 deletions

Filesystem.pm Bugzilla/Install/Filesystem.pm +14 -0

No files found.
--- a/Bugzilla/Install/Filesystem.pm
+++ b/Bugzilla/Install/Filesystem.pm
@@ -75,6 +75,13 @@ sub FILESYSTEM {
    my $skinsdir      = bz_locations()->{'skinsdir'};
    my $localconfig   = bz_locations()->{'localconfig'};

+    # We want to set the permissions the same for all localconfig files
+    # across all PROJECTs, so we do something special with $localconfig,
+    # lower down in the permissions section.
+    if ($ENV{PROJECT}) {
+        $localconfig =~ s/\.\Q$ENV{PROJECT}\E$//;
+    }
+
    my $ws_group      = Bugzilla->localconfig->{'webservergroup'};
    my $use_suexec    = Bugzilla->localconfig->{'use_suexec'};

@@ -92,6 +99,9 @@ sub FILESYSTEM {
    # Writeable by the web server.
    my $ws_writeable = $ws_group ? 0660 : 0666;

+    # Script-readable files that should not be world-readable under suexec.
+    my $script_readable = $use_suexec ? 0640 : $ws_readable;
+
    # DIRECTORIES
    # Readable by the web server.
    my $ws_dir_readable  = ($ws_group && !$use_suexec) ? 0750 : 0755;
@@ -129,6 +139,10 @@ sub FILESYSTEM {
        'migrate.pl'      => { perms => $owner_executable },
        'install-module.pl' => { perms => $owner_executable },

+        # Set the permissions for localconfig the same across all
+        # PROJECTs.
+        $localconfig       => { perms => $script_readable },
+        "$localconfig.*"   => { perms => $script_readable },
        "$localconfig.old" => { perms => $owner_readable },

        'contrib/README'       => { perms => $owner_readable },