deac/instiki
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Security: ensure file upload directory is not world-writable.

Browse source 
(There still seem to be bugs in the file upload function.)
This commit is contained in:
Jacques Distler 2007-03-10 11:26:30 -06:00
parent 46a456b3ad
commit 626c135d1e
1 changed files with 1 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
app/models/web.rb
View file

@ -89,6 +89,7 @@ class Web < ActiveRecord::Base
def create_files_directory def create_files_directory
return unless allow_uploads == 1 return unless allow_uploads == 1
dummy_file = self.wiki_files.build(:file_name => '0', :description => '0', :content => '0') dummy_file = self.wiki_files.build(:file_name => '0', :description => '0', :content => '0')
File.umask(0002)
dir = File.dirname(dummy_file.content_path) dir = File.dirname(dummy_file.content_path)
begin begin
require 'fileutils' require 'fileutils'