Skip to content

Instantly share code, notes, and snippets.

@beberlei beberlei/annotations.patch Secret
Last active Aug 31, 2015

Embed
What would you like to do?
commit f25c8aab83e0c3e976fd7d19875f198ccf2f7535
Author: Benjamin Eberlei <kontakt@beberlei.de>
Date: Mon Aug 31 13:54:27 2015 +0200
[DCOM-293] Fix security misconfiguration vulnerability that can allow local arbitrary code execution.
diff --git a/lib/Doctrine/Common/Annotations/FileCacheReader.php b/lib/Doctrine/Common/Annotations/FileCacheReader.php
index 2acfa31..24add1b 100644
--- a/lib/Doctrine/Common/Annotations/FileCacheReader.php
+++ b/lib/Doctrine/Common/Annotations/FileCacheReader.php
@@ -57,6 +57,11 @@ class FileCacheReader implements Reader
private $classNameHashes = array();
/**
+ * @var int
+ */
+ private $umask;
+
+ /**
* Constructor.
*
* @param Reader $reader
@@ -65,10 +70,19 @@ class FileCacheReader implements Reader
*
* @throws \InvalidArgumentException
*/
- public function __construct(Reader $reader, $cacheDir, $debug = false)
+ public function __construct(Reader $reader, $cacheDir, $debug = false, $umask = 0002)
{
+ if ( ! is_int($umask)) {
+ throw new \InvalidArgumentException(sprintf(
+ 'The parameter umask must be an integer, was: %s',
+ gettype($umask)
+ ));
+ }
+
$this->reader = $reader;
- if (!is_dir($cacheDir) && !@mkdir($cacheDir, 0777, true)) {
+ $this->umask = $umask;
+
+ if (!is_dir($cacheDir) && !@mkdir($cacheDir, 0777 & (~$this->umask), true)) {
throw new \InvalidArgumentException(sprintf('The directory "%s" does not exist and could not be created.', $cacheDir));
}
@@ -206,12 +220,12 @@ class FileCacheReader implements Reader
throw new \RuntimeException(sprintf('Unable to write cached file to: %s', $tempfile));
}
+ @chmod($tempfile, 0666 & (~$this->umask));
+
if (false === rename($tempfile, $path)) {
@unlink($tempfile);
throw new \RuntimeException(sprintf('Unable to rename %s to %s', $tempfile, $path));
}
-
- @chmod($path, 0666 & ~umask());
}
/**
commit 5d9340412c24706f9ac5cd34a58e91592f2ce130
Author: Benjamin Eberlei <kontakt@beberlei.de>
Date: Wed Aug 12 09:53:11 2015 +0200
[DCOM-293] Fix privilege escalaction security vulnerability in PhpFileCache.
diff --git a/lib/Doctrine/Common/Cache/FileCache.php b/lib/Doctrine/Common/Cache/FileCache.php
index 651b3fb..9ad3ce2 100644
--- a/lib/Doctrine/Common/Cache/FileCache.php
+++ b/lib/Doctrine/Common/Cache/FileCache.php
@@ -55,6 +55,11 @@ abstract class FileCache extends CacheProvider
private $replacementCharacters = array('__', '-');
/**
+ * @var int
+ */
+ private $umask;
+
+ /**
* Constructor.
*
* @param string $directory The cache directory.
@@ -62,8 +67,17 @@ abstract class FileCache extends CacheProvider
*
* @throws \InvalidArgumentException
*/
- public function __construct($directory, $extension = '')
+ public function __construct($directory, $extension = '', $umask = 0002)
{
+ // YES, this needs to be *before* createPathIfNeeded()
+ if ( ! is_int($umask)) {
+ throw new \InvalidArgumentException(sprintf(
+ 'The umask parameter is required to be integer, was: %s',
+ gettype($umask)
+ ));
+ }
+ $this->umask = $umask;
+
if ( ! $this->createPathIfNeeded($directory)) {
throw new \InvalidArgumentException(sprintf(
'The directory "%s" does not exist and could not be created.',
@@ -78,6 +92,7 @@ abstract class FileCache extends CacheProvider
));
}
+ // YES, this needs to be *after* createPathIfNeeded()
$this->directory = realpath($directory);
$this->extension = (string) $extension;
}
@@ -167,7 +182,7 @@ abstract class FileCache extends CacheProvider
private function createPathIfNeeded($path)
{
if ( ! is_dir($path)) {
- if (false === @mkdir($path, 0777, true) && !is_dir($path)) {
+ if (false === @mkdir($path, 0777 & (~$this->umask), true) && !is_dir($path)) {
return false;
}
}
@@ -196,11 +211,10 @@ abstract class FileCache extends CacheProvider
}
$tmpFile = tempnam($filepath, 'swap');
+ @chmod($tmpFile, 0666 & (~$this->umask));
if (file_put_contents($tmpFile, $content) !== false) {
if (@rename($tmpFile, $filename)) {
- @chmod($filename, 0666 & ~umask());
-
return true;
}
diff --git a/lib/Doctrine/Common/Cache/FilesystemCache.php b/lib/Doctrine/Common/Cache/FilesystemCache.php
index 6b44aa0..29d5e07 100644
--- a/lib/Doctrine/Common/Cache/FilesystemCache.php
+++ b/lib/Doctrine/Common/Cache/FilesystemCache.php
@@ -32,9 +32,9 @@ class FilesystemCache extends FileCache
/**
* {@inheritdoc}
*/
- public function __construct($directory, $extension = self::EXTENSION)
+ public function __construct($directory, $extension = self::EXTENSION, $umask = 0002)
{
- parent::__construct($directory, $extension);
+ parent::__construct($directory, $extension, $umask);
}
/**
diff --git a/lib/Doctrine/Common/Cache/PhpFileCache.php b/lib/Doctrine/Common/Cache/PhpFileCache.php
index 12dda5a..5e75196 100644
--- a/lib/Doctrine/Common/Cache/PhpFileCache.php
+++ b/lib/Doctrine/Common/Cache/PhpFileCache.php
@@ -32,9 +32,9 @@ class PhpFileCache extends FileCache
/**
* {@inheritdoc}
*/
- public function __construct($directory, $extension = self::EXTENSION)
+ public function __construct($directory, $extension = self::EXTENSION, $umask = 0002)
{
- parent::__construct($directory, $extension);
+ parent::__construct($directory, $extension, $umask);
}
/**
commit b3ae747e4e63d8785b745762830850160eac2ab4
Author: Benjamin Eberlei <kontakt@beberlei.de>
Date: Mon Aug 31 14:20:35 2015 +0200
[DCOM-293] Fix security misconfiguration vulnerability that can lead to local arbitrary code execution.
diff --git a/lib/Doctrine/Common/Proxy/ProxyGenerator.php b/lib/Doctrine/Common/Proxy/ProxyGenerator.php
index 4c5a239..3941f17 100644
--- a/lib/Doctrine/Common/Proxy/ProxyGenerator.php
+++ b/lib/Doctrine/Common/Proxy/ProxyGenerator.php
@@ -302,6 +302,7 @@ class <proxyShortClassName> extends \<className> implements \<baseProxyInterface
$tmpFileName = $fileName . '.' . uniqid('', true);
file_put_contents($tmpFileName, $proxyCode);
+ chmod($tmpFileName, 0664);
rename($tmpFileName, $fileName);
}
From ff2324a76bacfdf30a2fa0343cbc46718ee21381 Mon Sep 17 00:00:00 2001
From: Maciej Malarz <malarzm@gmail.com>
Date: Mon, 31 Aug 2015 14:22:13 +0200
Subject: [PATCH] Fix security misconfiguration vulnerability allowing local
remote arbitrary code execution.
---
.../ODM/MongoDB/Hydrator/HydratorFactory.php | 1 +
.../Console/Command/GenerateHydratorsCommand.php | 2 +-
.../Console/Command/GenerateProxiesCommand.php | 2 +-
.../ODM/MongoDB/Tools/DocumentGenerator.php | 3 ++-
.../MongoDB/Tools/DocumentRepositoryGenerator.php | 3 ++-
.../Tests/Mapping/Symfony/AbstractDriverTest.php | 2 +-
6 files changed, 8 insertions(+), 5 deletions(-)
diff --git a/lib/Doctrine/ODM/MongoDB/Hydrator/HydratorFactory.php b/lib/Doctrine/ODM/MongoDB/Hydrator/HydratorFactory.php
index d6b13a0..ccda5bb 100644
--- a/lib/Doctrine/ODM/MongoDB/Hydrator/HydratorFactory.php
+++ b/lib/Doctrine/ODM/MongoDB/Hydrator/HydratorFactory.php
@@ -414,6 +414,7 @@ EOF
$tmpFileName = $fileName . '.' . uniqid('', true);
file_put_contents($tmpFileName, $code);
rename($tmpFileName, $fileName);
+ chmod($fileName, 0664);
}
}
diff --git a/lib/Doctrine/ODM/MongoDB/Tools/Console/Command/GenerateHydratorsCommand.php b/lib/Doctrine/ODM/MongoDB/Tools/Console/Command/GenerateHydratorsCommand.php
index 1656532..4938152 100644
--- a/lib/Doctrine/ODM/MongoDB/Tools/Console/Command/GenerateHydratorsCommand.php
+++ b/lib/Doctrine/ODM/MongoDB/Tools/Console/Command/GenerateHydratorsCommand.php
@@ -75,7 +75,7 @@ EOT
}
if ( ! is_dir($destPath)) {
- mkdir($destPath, 0777, true);
+ mkdir($destPath, 0775, true);
}
$destPath = realpath($destPath);
diff --git a/lib/Doctrine/ODM/MongoDB/Tools/Console/Command/GenerateProxiesCommand.php b/lib/Doctrine/ODM/MongoDB/Tools/Console/Command/GenerateProxiesCommand.php
index 8b92fae..79a200e 100644
--- a/lib/Doctrine/ODM/MongoDB/Tools/Console/Command/GenerateProxiesCommand.php
+++ b/lib/Doctrine/ODM/MongoDB/Tools/Console/Command/GenerateProxiesCommand.php
@@ -75,7 +75,7 @@ EOT
}
if ( ! is_dir($destPath)) {
- mkdir($destPath, 0777, true);
+ mkdir($destPath, 0775, true);
}
$destPath = realpath($destPath);
diff --git a/lib/Doctrine/ODM/MongoDB/Tools/DocumentGenerator.php b/lib/Doctrine/ODM/MongoDB/Tools/DocumentGenerator.php
index ea02858..de3f1e3 100644
--- a/lib/Doctrine/ODM/MongoDB/Tools/DocumentGenerator.php
+++ b/lib/Doctrine/ODM/MongoDB/Tools/DocumentGenerator.php
@@ -179,7 +179,7 @@ public function <methodName>()
$dir = dirname($path);
if ( ! is_dir($dir)) {
- mkdir($dir, 0777, true);
+ mkdir($dir, 0775, true);
}
$this->isNew = ! file_exists($path) || (file_exists($path) && $this->regenerateDocumentIfExists);
@@ -203,6 +203,7 @@ public function <methodName>()
} elseif ( ! $this->isNew && $this->updateDocumentIfExists) {
file_put_contents($path, $this->generateUpdatedDocumentClass($metadata, $path));
}
+ chmod($path, 0664);
}
/**
diff --git a/lib/Doctrine/ODM/MongoDB/Tools/DocumentRepositoryGenerator.php b/lib/Doctrine/ODM/MongoDB/Tools/DocumentRepositoryGenerator.php
index a90c9e9..24da291 100644
--- a/lib/Doctrine/ODM/MongoDB/Tools/DocumentRepositoryGenerator.php
+++ b/lib/Doctrine/ODM/MongoDB/Tools/DocumentRepositoryGenerator.php
@@ -76,11 +76,12 @@ class <className> extends DocumentRepository
$dir = dirname($path);
if ( ! is_dir($dir)) {
- mkdir($dir, 0777, true);
+ mkdir($dir, 0775, true);
}
if ( ! file_exists($path)) {
file_put_contents($path, $code);
+ chmod($path, 0664);
}
}
}
diff --git a/tests/Doctrine/ODM/MongoDB/Tests/Mapping/Symfony/AbstractDriverTest.php b/tests/Doctrine/ODM/MongoDB/Tests/Mapping/Symfony/AbstractDriverTest.php
index 2b6d7a5..eaa7323 100644
--- a/tests/Doctrine/ODM/MongoDB/Tests/Mapping/Symfony/AbstractDriverTest.php
+++ b/tests/Doctrine/ODM/MongoDB/Tests/Mapping/Symfony/AbstractDriverTest.php
@@ -76,7 +76,7 @@ abstract class AbstractDriverTest extends \PHPUnit_Framework_TestCase
protected function setUp()
{
$this->dir = sys_get_temp_dir().'/abstract_driver_test';
- @mkdir($this->dir, 0777, true);
+ @mkdir($this->dir, 0775, true);
}
protected function tearDown()
--
1.7.9.5
From 42565f1511d0cae687319e0479b9628aa963589c Mon Sep 17 00:00:00 2001
From: Maciej Malarz <mpmalarz@exhibit-e.com>
Date: Mon, 31 Aug 2015 14:34:24 +0200
Subject: [PATCH] Fix security misconfiguration vulnerability allowing local
remote arbitrary code execution.
---
CacheWarmer/HydratorCacheWarmer.php | 2 +-
CacheWarmer/ProxyCacheWarmer.php | 2 +-
.../Compiler/CreateHydratorDirectoryPass.php | 2 +-
.../Compiler/CreateProxyDirectoryPass.php | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/CacheWarmer/HydratorCacheWarmer.php b/CacheWarmer/HydratorCacheWarmer.php
index c0409c8..343aba5 100644
--- a/CacheWarmer/HydratorCacheWarmer.php
+++ b/CacheWarmer/HydratorCacheWarmer.php
@@ -56,7 +56,7 @@ class HydratorCacheWarmer implements CacheWarmerInterface
// we need the directory no matter the hydrator cache generation strategy.
$hydratorCacheDir = $this->container->getParameter('doctrine_mongodb.odm.hydrator_dir');
if (!file_exists($hydratorCacheDir)) {
- if (false === @mkdir($hydratorCacheDir, 0777, true)) {
+ if (false === @mkdir($hydratorCacheDir, 0775, true)) {
throw new \RuntimeException(sprintf('Unable to create the Doctrine Hydrator directory (%s)', dirname($hydratorCacheDir)));
}
} else if (!is_writable($hydratorCacheDir)) {
diff --git a/CacheWarmer/ProxyCacheWarmer.php b/CacheWarmer/ProxyCacheWarmer.php
index 7be81f4..e747c68 100644
--- a/CacheWarmer/ProxyCacheWarmer.php
+++ b/CacheWarmer/ProxyCacheWarmer.php
@@ -56,7 +56,7 @@ class ProxyCacheWarmer implements CacheWarmerInterface
// we need the directory no matter the proxy cache generation strategy.
$proxyCacheDir = $this->container->getParameter('doctrine_mongodb.odm.proxy_dir');
if (!file_exists($proxyCacheDir)) {
- if (false === @mkdir($proxyCacheDir, 0777, true)) {
+ if (false === @mkdir($proxyCacheDir, 0775, true)) {
throw new \RuntimeException(sprintf('Unable to create the Doctrine Proxy directory (%s)', dirname($proxyCacheDir)));
}
} else if (!is_writable($proxyCacheDir)) {
diff --git a/DependencyInjection/Compiler/CreateHydratorDirectoryPass.php b/DependencyInjection/Compiler/CreateHydratorDirectoryPass.php
index 3d79d30..c43e54b 100644
--- a/DependencyInjection/Compiler/CreateHydratorDirectoryPass.php
+++ b/DependencyInjection/Compiler/CreateHydratorDirectoryPass.php
@@ -31,7 +31,7 @@ class CreateHydratorDirectoryPass implements CompilerPassInterface
// Create document proxy directory
$hydratorCacheDir = $container->getParameter('doctrine_mongodb.odm.hydrator_dir');
if (!is_dir($hydratorCacheDir)) {
- if (false === @mkdir($hydratorCacheDir, 0777, true)) {
+ if (false === @mkdir($hydratorCacheDir, 0775, true)) {
exit(sprintf('Unable to create the Doctrine Hydrator directory (%s)', dirname($hydratorCacheDir)));
}
} elseif (!is_writable($hydratorCacheDir)) {
diff --git a/DependencyInjection/Compiler/CreateProxyDirectoryPass.php b/DependencyInjection/Compiler/CreateProxyDirectoryPass.php
index 2bc9830..2236c53 100644
--- a/DependencyInjection/Compiler/CreateProxyDirectoryPass.php
+++ b/DependencyInjection/Compiler/CreateProxyDirectoryPass.php
@@ -31,7 +31,7 @@ class CreateProxyDirectoryPass implements CompilerPassInterface
// Create document proxy directory
$proxyCacheDir = $container->getParameter('doctrine_mongodb.odm.proxy_dir');
if (!is_dir($proxyCacheDir)) {
- if (false === @mkdir($proxyCacheDir, 0777, true)) {
+ if (false === @mkdir($proxyCacheDir, 0775, true)) {
exit(sprintf('Unable to create the Doctrine Proxy directory (%s)', dirname($proxyCacheDir)));
}
} elseif (!is_writable($proxyCacheDir)) {
--
1.7.9.5
commit 2b3648c725f82efc1f1b12e8e3e35c76df990b58
Author: Benjamin Eberlei <kontakt@beberlei.de>
Date: Mon Aug 31 13:57:29 2015 +0200
[DCOM-293] Fix security misconfiguration vulnerability allowing local remote arbitrary code execution.
diff --git a/lib/Doctrine/ORM/Cache/Region/FileLockRegion.php b/lib/Doctrine/ORM/Cache/Region/FileLockRegion.php
index 69167bc..d8d4b26 100644
--- a/lib/Doctrine/ORM/Cache/Region/FileLockRegion.php
+++ b/lib/Doctrine/ORM/Cache/Region/FileLockRegion.php
@@ -61,7 +61,7 @@ class FileLockRegion implements ConcurrentRegion
*/
public function __construct(Region $region, $directory, $lockLifetime)
{
- if ( ! is_dir($directory) && ! @mkdir($directory, 0777, true)) {
+ if ( ! is_dir($directory) && ! @mkdir($directory, 0775, true)) {
throw new \InvalidArgumentException(sprintf('The directory "%s" does not exist and could not be created.', $directory));
}
@@ -242,6 +242,7 @@ class FileLockRegion implements ConcurrentRegion
if ( ! @file_put_contents($filename, $lock->value, LOCK_EX)) {
return null;
}
+ chmod($filename, 0664);
return $lock;
}
diff --git a/lib/Doctrine/ORM/Tools/Console/Command/ConvertMappingCommand.php b/lib/Doctrine/ORM/Tools/Console/Command/ConvertMappingCommand.php
index 1f97a50..b229f4a 100644
--- a/lib/Doctrine/ORM/Tools/Console/Command/ConvertMappingCommand.php
+++ b/lib/Doctrine/ORM/Tools/Console/Command/ConvertMappingCommand.php
@@ -137,7 +137,7 @@ EOT
// Process destination directory
if ( ! is_dir($destPath = $input->getArgument('dest-path'))) {
- mkdir($destPath, 0777, true);
+ mkdir($destPath, 0775, true);
}
$destPath = realpath($destPath);
diff --git a/lib/Doctrine/ORM/Tools/Console/Command/GenerateProxiesCommand.php b/lib/Doctrine/ORM/Tools/Console/Command/GenerateProxiesCommand.php
index 5221187..21edb9d 100644
--- a/lib/Doctrine/ORM/Tools/Console/Command/GenerateProxiesCommand.php
+++ b/lib/Doctrine/ORM/Tools/Console/Command/GenerateProxiesCommand.php
@@ -79,7 +79,7 @@ EOT
}
if ( ! is_dir($destPath)) {
- mkdir($destPath, 0777, true);
+ mkdir($destPath, 0775, true);
}
$destPath = realpath($destPath);
diff --git a/lib/Doctrine/ORM/Tools/EntityGenerator.php b/lib/Doctrine/ORM/Tools/EntityGenerator.php
index ec83c4e..9027d9a 100644
--- a/lib/Doctrine/ORM/Tools/EntityGenerator.php
+++ b/lib/Doctrine/ORM/Tools/EntityGenerator.php
@@ -364,7 +364,7 @@ public function __construct(<params>)
$dir = dirname($path);
if ( ! is_dir($dir)) {
- mkdir($dir, 0777, true);
+ mkdir($dir, 0775, true);
}
$this->isNew = !file_exists($path) || (file_exists($path) && $this->regenerateEntityIfExists);
@@ -389,6 +389,7 @@ public function __construct(<params>)
} elseif ( ! $this->isNew && $this->updateEntityIfExists) {
file_put_contents($path, $this->generateUpdatedEntityClass($metadata, $path));
}
+ chmod($path, 0664);
}
/**
diff --git a/lib/Doctrine/ORM/Tools/EntityRepositoryGenerator.php b/lib/Doctrine/ORM/Tools/EntityRepositoryGenerator.php
index f94292a..f431588 100644
--- a/lib/Doctrine/ORM/Tools/EntityRepositoryGenerator.php
+++ b/lib/Doctrine/ORM/Tools/EntityRepositoryGenerator.php
@@ -147,11 +147,12 @@ class <className> extends <repositoryName>
$dir = dirname($path);
if ( ! is_dir($dir)) {
- mkdir($dir, 0777, true);
+ mkdir($dir, 0775, true);
}
if ( ! file_exists($path)) {
file_put_contents($path, $code);
+ chmod($path, 0664);
}
}
diff --git a/lib/Doctrine/ORM/Tools/Export/Driver/AbstractExporter.php b/lib/Doctrine/ORM/Tools/Export/Driver/AbstractExporter.php
index 3e96af8..b2ed435 100644
--- a/lib/Doctrine/ORM/Tools/Export/Driver/AbstractExporter.php
+++ b/lib/Doctrine/ORM/Tools/Export/Driver/AbstractExporter.php
@@ -130,7 +130,7 @@ abstract class AbstractExporter
public function export()
{
if ( ! is_dir($this->_outputDir)) {
- mkdir($this->_outputDir, 0777, true);
+ mkdir($this->_outputDir, 0775, true);
}
foreach ($this->_metadata as $metadata) {
@@ -139,12 +139,13 @@ abstract class AbstractExporter
$path = $this->_generateOutputPath($metadata);
$dir = dirname($path);
if ( ! is_dir($dir)) {
- mkdir($dir, 0777, true);
+ mkdir($dir, 0775, true);
}
if (file_exists($path) && !$this->_overwriteExistingFiles) {
throw ExportException::attemptOverwriteExistingFile($path);
}
file_put_contents($path, $output);
+ chmod($path, 0664);
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.