From 56bded9d8d1b75610aa6502dc619dca791360a63 Mon Sep 17 00:00:00 2001 From: zeripath Date: Sun, 18 Dec 2022 23:12:25 +0000 Subject: [PATCH] Local storage should not store files as executable (#22162) (#22163) Backport #22162 The PR #21198 introduced a probable security vulnerability which resulted in making all storage files be marked as executable. This PR ensures that these are forcibly marked as non-executable. Fix #22161 Signed-off-by: Andrew Thornton Signed-off-by: Andrew Thornton --- modules/storage/local.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/storage/local.go b/modules/storage/local.go index 5d5b06b648d7..a208ba8e1024 100644 --- a/modules/storage/local.go +++ b/modules/storage/local.go @@ -103,7 +103,8 @@ func (l *LocalStorage) Save(path string, r io.Reader, size int64) (int64, error) return 0, err } // Golang's tmp file (os.CreateTemp) always have 0o600 mode, so we need to change the file to follow the umask (as what Create/MkDir does) - if err := util.ApplyUmask(p, os.ModePerm); err != nil { + // but we don't want to make these files executable - so ensure that we mask out the executable bits + if err := util.ApplyUmask(p, os.ModePerm&0o666); err != nil { return 0, err }