We shouldn't allow open-access to the compiled php container.
Previously we'd had strict permissions on the sites/default/files/php folder.
Now it is getting 777 permissions.
Fix it
All of them
None
I am running test platform using Drupal 8 and noticed that the folder /sites/default/files/php kept getting its permission reset to 777, after searching the code base i have found the following places that are applying 777 permissions to folders/files.
I have not looked into what each instance is doing, but i am pretty sure that no folder should be set to have 777 permissions. Some in this list are for Vendor components, so not the responsibility of the Drupal team, but some are part of core Drupal.
grep -rI '777' . | grep -e mkdir -e chmod
./core/lib/Drupal/Component/PhpStorage/FileStorage.php: @chmod($path, 0777);
./core/lib/Drupal/Core/Archiver/ArchiveTar.php: if (!@drupal_mkdir($v_header['filename'], 0777)) {
./core/lib/Drupal/Core/Archiver/ArchiveTar.php: if (!@drupal_mkdir($p_dir, 0777)) {
./core/lib/Drupal/Core/FileTransfer/Local.php: if (!is_dir($directory) && @!mkdir($directory, 0777, TRUE)) {
./core/lib/Drupal/Core/Test/TestRunnerKernel.php: mkdir('public://simpletest', 0777, TRUE);
./core/modules/config/src/Tests/ConfigInstallProfileUnmetDependenciesTest.php: mkdir($dest, 0777, TRUE);
./core/modules/simpletest/src/BrowserTestBase.php: chmod($directory, 0777);
./core/modules/simpletest/src/InstallerTestBase.php: chmod($this->container->get('app.root') . '/' . $this->siteDirectory, 0777);
./core/modules/simpletest/src/WebTestBase.php: chmod($directory, 0777);
./core/modules/system/src/Tests/File/DirectoryTest.php: $this->settingsSet('file_chmod_directory', 0777);
./core/modules/system/src/Tests/File/DirectoryTest.php: $this->assertDirectoryPermissions($directory, 0777, 'file_chmod_directory setting is respected.');
./core/modules/system/src/Tests/File/HtaccessUnitTest.php: mkdir($public, 0777, TRUE);
./core/modules/system/src/Tests/File/HtaccessUnitTest.php: mkdir($private, 0777, TRUE);
./core/modules/system/src/Tests/File/HtaccessUnitTest.php: mkdir($stream, 0777, TRUE);
./core/modules/system/src/Tests/File/ReadOnlyStreamWrapperTest.php: $this->assertFalse(@chmod($uri, 0777), 'Unable to change file permissions when using read-only stream wrapper.');
./core/modules/system/src/Tests/File/UnmanagedSaveDataTest.php: $this->settingsSet('file_chmod_file', 0777);
./core/modules/system/src/Tests/Installer/DistributionProfileTest.php: mkdir($path, 0777, TRUE);
./core/modules/system/src/Tests/Installer/InstallerExistingSettingsNoProfileTest.php: mkdir($this->settings['config_directories'][CONFIG_ACTIVE_DIRECTORY]->value, 0777, TRUE);
./core/modules/system/src/Tests/Installer/InstallerExistingSettingsNoProfileTest.php: mkdir($this->settings['config_directories'][CONFIG_STAGING_DIRECTORY]->value, 0777, TRUE);
./core/modules/system/src/Tests/Installer/InstallerExistingSettingsTest.php: mkdir($this->settings['config_directories'][CONFIG_ACTIVE_DIRECTORY]->value, 0777, TRUE);
./core/modules/system/src/Tests/Installer/InstallerExistingSettingsTest.php: mkdir($this->settings['config_directories'][CONFIG_STAGING_DIRECTORY]->value, 0777, TRUE);
./core/modules/system/src/Tests/Installer/InstallerLanguageDirectionTest.php: mkdir(\Drupal::root() . '/' . $this->siteDirectory . '/files/translations', 0777, TRUE);
./core/modules/system/src/Tests/Installer/InstallerLanguagePageTest.php: mkdir(\Drupal::root() . '/' . $this->siteDirectory . '/files/translations', 0777, TRUE);
./core/modules/system/src/Tests/Installer/InstallerTranslationMultipleLanguageTest.php: mkdir(DRUPAL_ROOT . '/' . $this->siteDirectory . '/files/translations', 0777, TRUE);
./core/modules/system/src/Tests/Installer/InstallerTranslationTest.php: mkdir(\Drupal::root() . '/' . $this->siteDirectory . '/files/translations', 0777, TRUE);
./core/modules/system/src/Tests/Installer/SingleVisibleProfileTest.php: mkdir($path, 0777, TRUE);
./core/vendor/doctrine/annotations/lib/Doctrine/Common/Annotations/FileCacheReader.php: if (!is_dir($cacheDir) && !@mkdir($cacheDir, 0777, true)) {
./core/vendor/doctrine/cache/lib/Doctrine/Common/Cache/FileCache.php: if ( ! is_dir($directory) && ! @mkdir($directory, 0777, true)) {
./core/vendor/doctrine/cache/lib/Doctrine/Common/Cache/FilesystemCache.php: if (false === @mkdir($filepath, 0777, true) && !is_dir($filepath)) {
./core/vendor/doctrine/cache/lib/Doctrine/Common/Cache/PhpFileCache.php: mkdir($filepath, 0777, true);
./core/vendor/mikey179/vfsStream/src/test/php/org/bovigo/vfs/PermissionsTestCase.php: $this->assertFalse(@chmod(vfsStream::url('root/test_directory/test.file'), 0777));
./core/vendor/mikey179/vfsStream/src/test/php/org/bovigo/vfs/PermissionsTestCase.php: $this->assertFalse(@chmod(vfsStream::url('root/test_directory/test.file'), 0777));
./core/vendor/mikey179/vfsStream/src/test/php/org/bovigo/vfs/UnlinkTestCase.php: $root->getChild('test_directory')->chmod(0777);
./core/vendor/mikey179/vfsStream/src/test/php/org/bovigo/vfs/UnlinkTestCase.php: $root->getChild('test_directory')->getChild('test.file')->chmod(0777);
./core/vendor/mikey179/vfsStream/src/test/php/org/bovigo/vfs/vfsStreamGlobTestCase.php: mkdir(vfsStream::url('example/test/'), 0777, true);
./core/vendor/mikey179/vfsStream/src/test/php/org/bovigo/vfs/vfsStreamResolveIncludePathTestCase.php: mkdir('vfs://root/a/path', 0777, true);
./core/vendor/mikey179/vfsStream/src/test/php/org/bovigo/vfs/vfsStreamUmaskTestCase.php: mkdir(vfsStream::url('root/newdir'), 0777);
./core/vendor/mikey179/vfsStream/src/test/php/org/bovigo/vfs/vfsStreamWrapperDirSeparatorTestCase.php: mkdir('vfs://root/dir\bar\foo', true, 0777);
./core/vendor/mikey179/vfsStream/src/test/php/org/bovigo/vfs/vfsStreamWrapperDirTestCase.php: $this->assertFalse(mkdir(vfsStream::url('another/more'), 0777, true));
./core/vendor/mikey179/vfsStream/src/test/php/org/bovigo/vfs/vfsStreamWrapperDirTestCase.php: $this->assertTrue(mkdir($this->fooURL . '/another/more', 0777, true));
./core/vendor/mikey179/vfsStream/src/test/php/org/bovigo/vfs/vfsStreamWrapperDirTestCase.php: $this->assertTrue(mkdir($this->fooURL . '/another/../more/.', 0777, true));
./core/vendor/mikey179/vfsStream/src/test/php/org/bovigo/vfs/vfsStreamWrapperDirTestCase.php: $this->assertFalse(mkdir($this->baz1URL . '/another/more', 0777, true));
./core/vendor/mikey179/vfsStream/src/test/php/org/bovigo/vfs/vfsStreamWrapperDirTestCase.php: $this->assertTrue(mkdir($this->fooURL . '/another/more', 0777, true));
./core/vendor/mikey179/vfsStream/src/test/php/org/bovigo/vfs/vfsStreamWrapperDirTestCase.php: mkdir(vfsStream::url('testFolder') . '/testFolder/subTestFolder', 0777, true);
./core/vendor/mikey179/vfsStream/src/test/php/org/bovigo/vfs/vfsStreamWrapperDirTestCase.php: mkdir(vfsStream::url('testFolder') . '/testFolder/subTestFolder', 0777, true);
./core/vendor/phpunit/php-code-coverage/src/CodeCoverage/Report/Clover.php: mkdir(dirname($target), 0777, true);
./core/vendor/phpunit/php-code-coverage/src/CodeCoverage/Report/Crap4j.php: mkdir(dirname($target), 0777, true);
./core/vendor/phpunit/php-code-coverage/src/CodeCoverage/Report/HTML.php: mkdir($target . $id, 0777, true);
./core/vendor/phpunit/php-code-coverage/src/CodeCoverage/Report/HTML.php: mkdir($dir, 0777, true);
./core/vendor/phpunit/php-code-coverage/src/CodeCoverage/Report/HTML.php: if (@mkdir($directory, 0777, true)) {
./core/vendor/phpunit/php-code-coverage/src/CodeCoverage/Report/XML.php: } elseif (!@mkdir($dir, 0777, true)) {
./core/vendor/phpunit/phpunit/src/TextUI/Command.php: chmod($tempFilename, 0777 & ~umask());
./core/vendor/phpunit/phpunit/src/Util/Printer.php: mkdir(dirname($out), 0777, true);
./core/vendor/symfony/class-loader/Symfony/Component/ClassLoader/ClassCollectionLoader.php: mkdir(dirname($cache), 0777, true);
./core/vendor/symfony/class-loader/Symfony/Component/ClassLoader/Tests/ClassMapGeneratorTest.php: mkdir($this->workspace, 0777, true);
./core/vendor/symfony/http-foundation/Symfony/Component/HttpFoundation/File/File.php: if (false === @mkdir($directory, 0777, true) && !is_dir($directory)) {
./core/vendor/symfony/http-foundation/Symfony/Component/HttpFoundation/Session/Storage/Handler/NativeFileSessionHandler.php: mkdir($baseDir, 0777, true);
./core/vendor/symfony/http-foundation/Symfony/Component/HttpFoundation/Session/Storage/MockFileSessionStorage.php: mkdir($savePath, 0777, true);
./core/vendor/symfony/http-foundation/Symfony/Component/HttpFoundation/Tests/FileBagTest.php: mkdir(sys_get_temp_dir().'/form_test', 0777, true);
./core/vendor/symfony/http-kernel/Symfony/Component/HttpKernel/HttpCache/Store.php: mkdir($this->root, 0777, true);
./core/vendor/symfony/http-kernel/Symfony/Component/HttpKernel/HttpCache/Store.php: if (!is_dir(dirname($path)) && false === @mkdir(dirname($path), 0777, true)) {
./core/vendor/symfony/http-kernel/Symfony/Component/HttpKernel/HttpCache/Store.php: if (!is_dir(dirname($path)) && false === @mkdir(dirname($path), 0777, true)) {
./core/vendor/symfony/http-kernel/Symfony/Component/HttpKernel/Kernel.php: if (false === @mkdir($dir, 0777, true) && !is_dir($dir)) {
./core/vendor/symfony/http-kernel/Symfony/Component/HttpKernel/Profiler/FileProfilerStorage.php: mkdir($this->folder, 0777, true);
./core/vendor/symfony/http-kernel/Symfony/Component/HttpKernel/Profiler/FileProfilerStorage.php: mkdir($dir, 0777, true);
./core/vendor/twig/twig/lib/Twig/Environment.php: if (false === @mkdir($dir, 0777, true)) {
./core/vendor/twig/twig/test/Twig/Tests/EnvironmentTest.php: mkdir(dirname($cache), 0777, true);
./core/vendor/twig/twig/test/Twig/Tests/FileCachingTest.php: @mkdir($this->tmpDir, 0777, true);
Needs work
11.0 🔥
file system
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.
Issue summaries save everyone time if they are kept up-to-date. See Update issue summary task instructions.
The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
I have just run a security test and see that this is still an issue with the php folder within sites default files.
i.e. drwxrwxrwx 3 apache apache 18 Jan 4 10:47 php
Can someone summarise if this is something to worry about? Is there a fix without patching core?
Thanks