View Issue Details

IDProjectCategoryView StatusLast Update
0019779phpList 3 applicationInstallationpublic19-07-19 16:33
Reporterduncanc 
PrioritynormalSeverityminorReproducibilityhave not tried
Status resolvedResolutionfixed 
Product Version3.3.9 
Target Version3.4.0Fixed in Version3.4.0 
Summary0019779: Incorrect file permission for the admin/plugins directory
DescriptionThe phplist distribution file downloaded from SourceForge has incorrect permissions for the admin/plugins directory, 777 instead of 755 as for all other folders.

Some anti-malware software will prohibit access to directories with permission of 777.
TagsNo tags attached.

Activities

duncanc

19-02-19 12:38

updater  

suela

20-02-19 17:28

administrator   ~0061916

That seems to be the case since version 3.3.2 when additional plugins were added by default. Not sure if that was in purpose.
@samtuke @michiel ?

duncanc

20-02-19 18:15

updater   ~0061917

Last edited: 20-02-19 18:21

View 2 revisions

Just to clarify what happens when the plugins directory has permissions of 777.

When using the CKEditor plugin, the file browser window for inserting an image shows a 404 error (see screenshot). After changing the permssion to 755 the file browse window is displayed correctly.

The url for the window is similar to this

http://www.mysite.com/lists/admin/plugins/CKEditorPlugin/kcfinder/browse.php?opener=ckeditor&type=image&CKEditor=message&CKEditorFuncNum=1&langCode=en

This error is in the web server log
Wed Feb 20 10:09:53.295350 2019] [:error] [pid 22480:tid 47654437066496] [client 109.154.156.164:51098]

SoftException in Application.cpp:657: Directory "/home/farmstea/public_html/lists/admin/plugins" is writeable by group, referer: http://www.farmsteadcheesesandwines.com/lists/admin/?page=send&id=2884&tk=7e6b57dc20fcc0f8f003bc5c89cc3002

which appears to come from suPHP.



samtuke

20-02-19 20:52

administrator   ~0061918

If I introduced it then it wasn't intentional and can be reversed.

duncanc

09-03-19 06:39

updater   ~0061997

In the new 3.4.0-RC1 the permissions for the plugins directory have been changed from 777 to 775, see new screenshot, which is still group-writeable.
The permissions need to be 755, the same as other directories, to avoid the suPHP problem.

3.4.0-RC1.png (12,462 bytes)
3.4.0-RC1.png (12,462 bytes)