From 30f5bf7a3b97bdd81e8e6002c7286c50561f8c96 Mon Sep 17 00:00:00 2001
From: Chuck Burgess <ashnazg@php.net>
Date: Sun, 28 Jan 2024 10:28:10 -0600
Subject: [PATCH] use 775 default for mkdirs, to avoid world-write

---
 Archive/Tar.php            |   4 ++--
 tests/dir_permissions.phpt |  22 ++++++++++++++++++++++
 tests/dir_permissions.tar  | Bin 0 -> 10240 bytes
 3 files changed, 24 insertions(+), 2 deletions(-)
 create mode 100644 tests/dir_permissions.phpt
 create mode 100644 tests/dir_permissions.tar

diff --git a/Archive/Tar.php b/Archive/Tar.php
index 327553b..03daa39 100644
--- a/Archive/Tar.php
+++ b/Archive/Tar.php
@@ -2115,7 +2115,7 @@ public function _extractList(
                 if ($v_extract_file) {
                     if ($v_header['typeflag'] == "5") {
                         if (!@file_exists($v_header['filename'])) {
-                            if (!@mkdir($v_header['filename'], 0777)) {
+                            if (!@mkdir($v_header['filename'], 0775)) {
                                 $this->_error(
                                     'Unable to create directory {'
                                     . $v_header['filename'] . '}'
@@ -2448,7 +2448,7 @@ public function _dirCheck($p_dir)
             return false;
         }
 
-        if (!@mkdir($p_dir, 0777)) {
+        if (!@mkdir($p_dir, 0775)) {
             $this->_error("Unable to create directory '$p_dir'");
             return false;
         }
diff --git a/tests/dir_permissions.phpt b/tests/dir_permissions.phpt
new file mode 100644
index 0000000..0826e09
--- /dev/null
+++ b/tests/dir_permissions.phpt
@@ -0,0 +1,22 @@
+--TEST--
+test permissions of created dirs
+--SKIPIF--
+--FILE--
+<?php
+require_once dirname(__FILE__) . '/setup.php.inc';
+umask('000'); // force default to 777 to confirm we create tighter
+$tar = new Archive_Tar(dirname(__FILE__) . '/dir_permissions.tar');
+$tar->extract('', true);
+$phpunit->assertNoErrors('after');
+echo substr(sprintf('%o', fileperms('dir_permissions')), -4), PHP_EOL;
+echo 'tests done';
+?>
+--CLEAN--
+<?php
+unlink('dir_permissions/a.txt');
+unlink('dir_permissions/b.txt');
+rmdir('dir_permissions');
+?>
+--EXPECT--
+0775
+tests done
diff --git a/tests/dir_permissions.tar b/tests/dir_permissions.tar
new file mode 100644
index 0000000000000000000000000000000000000000..d7a10c4c824d7261b64902c3819c47e32340f129
GIT binary patch
literal 10240
zcmeIyK@Ng25J1tcJw;ETR9d>$i<lCOvJef$#CUq!1qlHXH-Itx*-X+QrM&4-l=bOx
zu5YFH<-PJdF+(IFtTiGeWlhq}u@plnZH&>@SRLw0t4s-LW;n}W%cpN#Ev0b&TDkXS
zP;VE$)!XO(EEm20=iBDhO#BV8!C9ueeQ)nUEQLsW{WmJrLM9WRV|2Tf_dh>wMp;-~
zhd_V+-LL0A-G~1_^S{*Xa|h;sDQn(?00IagfB*srAb<b@2q1s}0tg_000IagfB*sr
OAb<b@2q1vKTmm1$M^9}4

literal 0
HcmV?d00001