PharData always creates new files with mode 0666

Sec Bug #77022	PharData always creates new files with mode 0666
Submitted:	2018-10-16 09:23 UTC	Modified:	2020-01-08 17:49 UTC
From:	prose at zedcore dot com	Assigned:	stas (profile)
Status:	Closed	Package:	PHAR related
PHP Version:	7.1.23	OS:
Private report:	No	CVE-ID:	None

[2018-10-16 09:23 UTC] prose at zedcore dot com

Description:
------------
When using PharData to create a Tar archive and then extracting it, the umask is not respected and/or the permissions of the original file are not either.

If the tar utility is used to either create or extract the file, then the permissions are preserved.

As the composer library uses this to create archives of dependencies that it then installs, it opens up the chance for someone to edit

Test script:
---------------
// Also available at 3v4l - https://3v4l.org/PO3hN

var_dump(decoct(umask()));

$sFile = tempnam('/tmp', 'test');
var_dump(decoct(stat($sFile)['mode']));

$phar = new \PharData('/tmp/test.tar', null, null, \Phar::TAR);
$phar->addFile($sFile, 'test-file-phar');
$phar->extractTo('/tmp/');

var_dump(decoct(stat('/tmp/test-file-phar')['mode']));

Expected result:
----------------
The last two var_dumps should give the same file permissions

Actual result:
--------------
The second var_dump gives 100666 instead of 100600

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2018-11-26 11:17 UTC] prose at zedcore dot com

Hi - sorry to chase this. Has this been triaged at all? We have a workaround in place, but it'd be great if it could be fixed since the workaround requires us to run chmod after each composer install.

[2018-12-02 03:47 UTC] stas@php.net

Looks like when creating a new tar file phar always uses default permissions - 0666. It's probably not right if the file already existed. If it did not, using umask probably makes sense, since it essentially creates new file's permissions.

[2018-12-02 05:02 UTC] stas@php.net

-Summary: PharData ignores umask +Summary: PharData always creates new files with mode 0666

[2018-12-02 05:20 UTC] stas@php.net

-Assigned To: +Assigned To: stas

[2018-12-02 05:50 UTC] stas@php.net

-Status: Assigned +Status: Closed

[2018-12-03 11:25 UTC] prose at zedcore dot com

-Summary: PharData always creates new files with mode 0666 +Summary: prose@zedcore.com

[2018-12-03 11:25 UTC] prose at zedcore dot com

Alright then. I've notice you've closed this but I don't think it's fixed? Should I open a non-Security bug?

[2018-12-03 14:04 UTC] cmb@php.net

What's wrong with the fix?

[2018-12-03 14:17 UTC] prose at zedcore dot com

Whoops! Sorry! I didn't get notified that there was a git commit attached as well, and I'm new to this interface.

Thanks for the fix!

[2020-01-08 17:49 UTC] cmb@php.net

-Summary: prose@zedcore.com +Summary: PharData always creates new files with mode 0666