View Issue Details

Related ChangesetsJump to NotesJump to History
This bug affects 1 person(s).
 6
IDProjectCategoryView StatusDate SubmittedLast Update
13366Bug reportsTheme editorpublic2018-02-16 00:072018-03-09 16:36
ReporterRichieB Assigned ToLouisGac 
PrioritynoneSeverityminor 
Status closedResolutionfixed 
Product Version3.1.x 
Summary13366: Extending a theme creates world writable directories
Description

When extending a theme a new directory tree upload/themes/survey/<name> get's created. All subdirectories below this new path are world writable which is bad security practice.

Steps To Reproduce
  1. Extend a theme, name the new theme footer
  2. Observe world writable directies inside upload/themes/survey/foobar
TagsNo tags attached.
Bug heat6
Complete LimeSurvey version number (& build)3.2.0+180206
I will donate to the project if issue is resolvedNo
Browser
Database type & versionmysql 5.7.21-0ubuntu0.16.04.1
Server OS (if known)Ubuntu 16.04.1
Webserver software & version (if known)apache 2.4.18-2ubuntu3.5
PHP Version7.0.22-0ubuntu0.16.04.1

Users monitoring this issue

There are no users monitoring this issue.

Activities

LouisGac

LouisGac

2018-02-16 10:24

developer   ~46544

It's rather a server configuration problem.
Directories are created by web user (www-data in ubuntu), so they should be writable only by the web-user.
RichieB

RichieB

2018-02-16 15:13

reporter   ~46551

No, it is set to mode 0777 explicitly by several places in the php code like:
https://github.com/LimeSurvey/LimeSurvey/blob/master/framework/utils/CFileHelper.php#L359
https://github.com/LimeSurvey/LimeSurvey/blob/master/framework/cli/commands/WebAppCommand.php#L105
LouisGac

LouisGac

2018-02-16 15:20

developer   ~46552

ok... thank you very much
LouisGac

LouisGac

2018-03-05 18:33

developer   ~46910

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=26667
c_schmitz

c_schmitz

2018-03-09 16:36

administrator   ~46991

Version 3.5.0 180309 released

Related Changesets

LimeSurvey: master a53d5b14

2018-03-05 19:33

LouisGac


Details Diff		 Fixed issue 13366: Extending a theme creates world writable directories Affected Issues
13366
mod - application/controllers/admin/themes.php Diff File

Issue History

Date Modified Username Field Change
2018-02-16 00:07 RichieB New Issue
2018-02-16 10:24 LouisGac Note Added: 46544
2018-02-16 15:13 RichieB Note Added: 46551
2018-02-16 15:20 LouisGac Note Added: 46552
2018-03-05 11:41 LouisGac Sticky Issue No => Yes
2018-03-05 18:33 LouisGac Changeset attached => LimeSurvey master a53d5b14
2018-03-05 18:33 LouisGac Note Added: 46910
2018-03-05 18:33 LouisGac Assigned To => LouisGac
2018-03-05 18:33 LouisGac Resolution open => fixed
2018-03-05 18:37 LouisGac Sticky Issue Yes => No
2018-03-05 18:37 LouisGac Status new => resolved
2018-03-09 16:36 c_schmitz Note Added: 46991
2018-03-09 16:36 c_schmitz Status resolved => closed