OJS v3.3.0-10 – some submitted files in $files_dir/journals are world-writable

Description of issue or problem I’m having:

Our nightly system check discovered world-writable files in $files_dir/journals, namely:

  • 4/articles/337
  • 4/articles/339
  • 4/articles/336
  • 4/articles/342
  • 4/articles/338

Steps I took leading up to the issue:

None we are aware of.

What I tried to resolve the issue:

I checked the umask setting in config.inc.php, but it is “0022”.

Application Version:

OJS: v3.3.0-10 running on a Debian v11.3 (“bullseye”) LAMP system, using

  • Linux v5.10.0-9
  • Apache v2.4.53
  • PHP (fpm-fcgi) v7.4.28
  • MariaDB v15.1

Additional information, such as screenshots and error log messages if applicable:

Thanks for looking into this!

1 Like

Same issue here. Another thing: if I chane the UMASK setting in config.inc.php it doesn’t seem to work.

I want this permission

660 (rw-rw----) 770 (rwxrwx—)

And the umask to be set is 007, but even if I set it, the files in the dir_files are 777/666.

This is a real security issue, I think.

I also modified the UMASK server-side both in /etc/login.defs and /etc/apache2/envvars. Doesn’t work either.

Hi all,

I’ve filed this for review/fixing here:

Please consider testing the submitted patch; additional data points would be helpful!

Alec Smecher
Public Knowledge Project Team

1 Like

Thank you! I have been on vacation but will take a look at it right away!

The patch does not resolve the issue. I’ve just applied the patch, restarted Apache and the PHP FPM, and submitted a file for testing. And the directory that has been created for the submission is still world-writable.

Hi @odkr,

Is this a directory that was already created before you submitted a new file? If it’s just a new file you submitted, rather than a whole new submission, it’s likely that the directory had already been created before you applied the patch.

Alec Smecher
Public Knowledge Project Team

Good point! I’m not sure why that directory should have existed, but after starting over in order to retrace my steps, the issue now appears to be fixed. Thanks a lot!

1 Like