OJS v3.3.0-10 – some submitted files in $files_dir/journals are world-writable

Description of issue or problem I’m having:

Our nightly system check discovered world-writable files in $files_dir/journals, namely:

  • 4/articles/337
  • 4/articles/339
  • 4/articles/336
  • 4/articles/342
  • 4/articles/338

Steps I took leading up to the issue:

None we are aware of.

What I tried to resolve the issue:

I checked the umask setting in config.inc.php, but it is “0022”.

Application Version:

OJS: v3.3.0-10 running on a Debian v11.3 (“bullseye”) LAMP system, using

  • Linux v5.10.0-9
  • Apache v2.4.53
  • PHP (fpm-fcgi) v7.4.28
  • MariaDB v15.1

Additional information, such as screenshots and error log messages if applicable:

Thanks for looking into this!

1 Like

Same issue here. Another thing: if I chane the UMASK setting in config.inc.php it doesn’t seem to work.

I want this permission

660 (rw-rw----) 770 (rwxrwx—)

And the umask to be set is 007, but even if I set it, the files in the dir_files are 777/666.

This is a real security issue, I think.

I also modified the UMASK server-side both in /etc/login.defs and /etc/apache2/envvars. Doesn’t work either.

Hi all,

I’ve filed this for review/fixing here:

Please consider testing the submitted patch; additional data points would be helpful!

Alec Smecher
Public Knowledge Project Team