From 2741d8ecedb156773328750be0d09ecc89afa4bd Mon Sep 17 00:00:00 2001
From: Thomas Bruederli <thomas@roundcube.net>
Date: Wed, 10 Apr 2013 17:39:49 -0400
Subject: [PATCH] Set minimal permissions to temp files (#148899)

---
 plugins/filesystem_attachments/filesystem_attachments.php |    1 +
 program/lib/Roundcube/rcube_image.php                     |    4 ++++
 2 files changed, 5 insertions(+), 0 deletions(-)

diff --git a/plugins/filesystem_attachments/filesystem_attachments.php b/plugins/filesystem_attachments/filesystem_attachments.php
index fa14779..063f6d5 100644
--- a/plugins/filesystem_attachments/filesystem_attachments.php
+++ b/plugins/filesystem_attachments/filesystem_attachments.php
@@ -60,6 +60,7 @@
             $args['id'] = $this->file_id();
             $args['path'] = $tmpfname;
             $args['status'] = true;
+            @chmod($tmpfname, 0600);  // set correct permissions (#148899)
 
             // Note the file for later cleanup
             $_SESSION['plugins']['filesystem_attachments'][$group][] = $tmpfname;
diff --git a/program/lib/Roundcube/rcube_image.php b/program/lib/Roundcube/rcube_image.php
index a55ba16..735a0df 100644
--- a/program/lib/Roundcube/rcube_image.php
+++ b/program/lib/Roundcube/rcube_image.php
@@ -124,6 +124,7 @@
             }
 
             if ($result === '') {
+                @chmod($filename, 0600);
                 return $type;
             }
         }
@@ -183,6 +184,7 @@
             }
 
             if ($result) {
+                @chmod($filename, 0600);
                 return $type;
             }
         }
@@ -223,6 +225,7 @@
             $result = rcube::exec($convert . ' 2>&1 -colorspace RGB -quality 75 {in} {type}:{out}', $p);
 
             if ($result === '') {
+                @chmod($filename, 0600);
                 return true;
             }
         }
@@ -256,6 +259,7 @@
             }
 
             if ($result) {
+                @chmod($filename, 0600);
                 return true;
             }
         }

--
Gitblit v1.9.1