Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Why do uploaded images have a permission of 777?


dgriffi

Recommended Posts

I'm playing around with 2.3.4 and was rather flabbergasted to find in catalog/images/ that images uploaded are given permissions of 777.  I found in catalog/admin/includes/classes/upload.php this line:

function upload($file = '', $destination = '', $permissions = '777', $extensions = '') {

Would someone please explain to me why permissions of 777 are desirable here?

Link to comment
Share on other sites

777 is only the default permissions for this function, but still, is obsolete and undesirable. The trouble is, different servers are set up in different ways, and what works on one may not work on others. If PHP is running as "owner/user", 755 is likely correct. If PHP is running in your "group", 775 might work. Only if PHP is running as "other/world" should 777 be used. "777" is a leftover from the ancient time when you could trust everyone sharing your server (Unix box) and didn't have to worry about malicious access by others. Many servers these days will trip a 500 error for "world writable" files and directories, as they are considered a security hazard.

 

Actually, it's also obsolete in that it has "execute" (+111) permission for files, which are rarely needed except for executables (both binary such as .exe and shell scripts). Files are usually 644/664/666.

 

Anyway, a properly written application should never hard code 777 (or any other permission setting). It should use some defined constant for "program writable directory" or "program writable file", to be set at installation time by the owner, or figured out by the installer and set once in a configuration file. Since most people can't figure out this stuff on their own, it's probably safer to do the latter.

Link to comment
Share on other sites

  • 2 weeks later...

@@MrPhil I have noticed the same - so should we change the coding of the file mentioned by @@dgriffi above to read 644 or whatever permissions our servers will accept for images?

 

Thanks

Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Link to comment
Share on other sites

An image is just an ordinary file, usually written once by osC and never touched again. So whatever the usual permissions are for a file on your server should do fine, That PHP file given above might be used to upload other than images, but still, unless they are executable scripts (requiring +111)  or something that osC (PHP) will need to overwrite (and PHP is not running as owner), I don't see any harm in changing the 777 to 644 (unless your server requires something like 604). You can always change it back (or to something less restrictive) if you run into problems. Looking at the osC 2.3.4 code that invokes upload(), it appears that it always uses the default permissions, and is only used for images.

 

If it's running fine with 777 permissions, that means your host doesn't restrict "world writable" file/directory access. However, it means that potentially someone sharing your server could get in and overwrite your image files, so you might want to change existing image files from 777 to 644, as well as changing the default. Just remember what you did in case you need to go back and change it again (or back).

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...