Uploaded image for project: 'Archive of Our Own'
  1. AO3-5029

Several static files have bad mode in the repo

    Details

    • Type: Bug
    • Status: Deployed
    • Priority: Low
    • Resolution: DeployedToBeta
    • Affects Version/s: 0.9.194
    • Fix Version/s: 0.9.198
    • Environment:

      Any UNIX-like

    • Milestone:
      Internal 0.9
    • Difficulty:
      Easy
    • Roadmap:
      Misc

      Description

      Several files under the public directory have the "executable" flag enabled and have a mode of 755. A listing of these files can be produced with find: find public/ -type f -executable . The total number is about 100. They will be parsed and run as executables by the system.

      This is unexpected behaviour, a potential inconvenience, and a very minor security risk. The security aspect is considered minor because the potential for abuse is already covered by other practices, notably code review. Triviality notwithstanding, there is no harm in allowing the kernel to work for us in preventing an unintended execution.

      An example session replicating the issue follows. The specifics depend on the system's shell and configuration. Certain file managers also may also experience problems (files defaulting to execution rather than editing).

      Replicating

      > ./public/stylesheets/sandbox.css

      Expected behaviour

      bash: ./public/stylesheets/sandbox.css: Permission denied

      Actual behaviour

      ./public/stylesheets/sandbox.css: line 1: /*==SANDBOX:: No such file or directory
      ./public/stylesheets/sandbox.css: line 2: Rules: command not found
      ./public/stylesheets/sandbox.css: line 5: unexpected EOF while looking for matching `''
      ./public/stylesheets/sandbox.css: line 32: syntax error: unexpected end of file

      System details

      GNU bash, version 4.4.12(1)-release (x86_64-pc-linux-gnu) on Debian 4.9.25-1 (2017-05-02) x86_64 GNU/Linux

      Solution

      Run find public/ -type f -executable -exec chmod -c -x – '{}' ';' and push the changes remotely.

        Attachments

          Activity

            People

            • Assignee:
              whiterocket Vas
              Reporter:
              whiterocket Vas
            • Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: