mkdir default mask

[beat]

In these 2 lines, a mask of 0777 is used to create directories. This flags some PHP source code security scanners. A safer suggested value here would be 0755:

Archive_Tar/Archive/Tar.php

Line 2109 in 8407ee4

if (!@mkdir($v_header['filename'], 0777)) {

Archive_Tar/Archive/Tar.php

Line 2408 in 8407ee4

if (!@mkdir($p_dir, 0777)) {

[rgpublic]

0777 is the default value anyway so could be omitted altogether - let's see whether the dumb security scanner catches THAT ;-) Joking aside, just omitting is IMHO really the best option instead of taking any sides - if people want to influence that they could just as well set a default umask.

[ashnazg]

@mrook , do you recall any regular runtime issues that necessitated using 0777 on these mkdir() calls? If you don't remember anything specific, I might look at testing out adjusting it to 0755, on the assumption that it should work fine for the runtime user, and the userland code would still have the flexibility to modify the resulting files anyway if needed.

Just looking for some guidance from your experience :)

[mrook]

@ashnazg no the mkdir(xxx, 0777) calls have been in the code since well before I became active on the project. It seems it was already in the code when the package was still experimental: ea8b039

[ashnazg]

Thanks much @mrook ... that takes some fear away from me regarding this change :)

@mcdruid, I'll assign this to you... that way you can use this opportunity to do a PR and run through the overall release process for the package. I'd probably make this a point release rather than patch release, given the potential of the visible runtime behavior change.

[ashnazg]

Fixed on #46... should be released as 1.5.0 soon.