Commit cac38d52 authored by Nigel McNie's avatar Nigel McNie
Browse files

Added a new configuration setting - directorypermissions - and set it by default to 0700.

Use it in check_dir_exists, to set the permissions of directories created in dataroot.

Directories used to be created 0777, which is unnecessary unless the user is on shared hosting and needs to download their dataroot at some point later (which they will do for backup purposes).
parent d739e308
......@@ -48,6 +48,13 @@ $cfg->dbprefix = '';
// this is a big security hole.
$cfg->dataroot = '/path/to/uploaddir';
// directorypermissions - what permissions to use for files and directories in
// dataroot. The default allows only the web server user to read the data. If
// you're on shared hosting and might want to download the contents of your
// dataroot later (e.g. for backup purposes), set this to 0777. Otherwise,
// leave it as is!
//$cfg->directorypermissions = 0700;
// insecuredataroot - whether to enforce checking that files being served have
// come from dataroot. You would only want to turn this on if you were running
// more than one Mahara against the same dataroot. If you are doing that, make
......@@ -62,6 +62,11 @@ foreach (array('docroot', 'dataroot') as $path) {
$CFG->xmldbdisablenextprevchecking = true;
$CFG->xmldbdisablecommentchecking = true;
// ensure directorypermissions is set
if (empty($CFG->directorypermissions)) {
$CFG->directorypermissions = 0700;
// core libraries
......@@ -753,9 +753,9 @@ function check_dir_exists($dir, $create=true, $recursive=true) {
if (!$create) {
$status = false;
} else {
$status = @mkdir($dir, 0777, true);
// @todo has the umask been clobbered at this point, and is this a bad thing?
$mask = umask(0000);
$status = @mkdir($dir, get_config('directorypermissions'), true);
return $status;
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment