commit 644beb8358e30132409e1b958de136b0b891c98a
Author: Hugh Davenport <hugh@catalyst.net.nz>
Date:   Mon Sep 24 13:28:12 2012 +1200

    Fix saved file permissions
    
    Bug #1055232
    
    Currently, files that are saved by Mahara use the
    directorypermissions config option, which defaults to
    0700, which allows execution.
    
    This allows users to potentially upload files with
    executable bits set, and if they have control of the
    config options pathtoclam, pathtozip, or pathtounzip
    then they could run this command when one of those
    commands are invocated.
    
    This patch bitwise-AND's the directory permissions
    config with 0666, which removes any executable bit
    and sets the result as a new config option
    filepermissions.
    
    A change the upload code to use this new option is made
    
    Change-Id: I088d9873de7797d5a9aefc2401301f8b855ed592
    Signed-off-by: Hugh Davenport <hugh@catalyst.net.nz>

diff --git a/htdocs/artefact/file/lib.php b/htdocs/artefact/file/lib.php
index 8f8e20a..45f77f6 100644
--- a/htdocs/artefact/file/lib.php
+++ b/htdocs/artefact/file/lib.php
@@ -940,6 +940,7 @@ class ArtefactTypeFile extends ArtefactTypeFileBase {
             $f->delete();
             return false;
         }
+        chmod($newname, get_config('filepermissions'));
         $owner = null;
         if ($user) {
             $owner = $user;
@@ -2256,7 +2257,7 @@ class ArtefactTypeArchive extends ArtefactTypeFile {
             // Untar everything into a temp directory first
             $tempsubdir = tempnam($tempdir, '');
             unlink($tempsubdir);
-            mkdir($tempsubdir);
+            mkdir($tempsubdir, get_config('directorypermissions'));
             if (!$this->handle->extract($tempsubdir)) {
                 throw new SystemException("Unable to extract archive into $tempsubdir");
             }
diff --git a/htdocs/init.php b/htdocs/init.php
index 86a7234..65df1c2 100644
--- a/htdocs/init.php
+++ b/htdocs/init.php
@@ -80,6 +80,7 @@ $CFG->xmldbdisablecommentchecking = true;
 if (empty($CFG->directorypermissions)) {
     $CFG->directorypermissions = 0700;
 }
+$CFG->filepermissions = $CFG->directorypermissions & 0666;
 
 // core libraries
 require('mahara.php');
diff --git a/htdocs/lib/db/upgrade.php b/htdocs/lib/db/upgrade.php
index 35aa68a..213d89d 100644
--- a/htdocs/lib/db/upgrade.php
+++ b/htdocs/lib/db/upgrade.php
@@ -638,7 +638,7 @@ function xmldb_core_upgrade($oldversion=0) {
 
         if (is_dir($artefactdata . 'internal/profileicons')) {
             if (!is_dir($artefactdata . 'file')) {
-                mkdir($artefactdata . 'file');
+                mkdir($artefactdata . 'file', get_config('directorypermissions'));
             }
             if (!rename($artefactdata . 'internal/profileicons', $artefactdata . 'file/profileicons')) {
                 throw new SystemException("Failed moving $artefactdata/internal/profileicons to $artefactdata/file/profileicons");
diff --git a/htdocs/lib/file.php b/htdocs/lib/file.php
index 71e3da3..2a96cdc 100644
--- a/htdocs/lib/file.php
+++ b/htdocs/lib/file.php
@@ -795,7 +795,7 @@ function copyr($source, $dest)
 
     // Make destination directory
     if (!is_dir($dest)) {
-        mkdir($dest);
+        mkdir($dest, get_config('directorypermissions'));
     }
 
     // Loop through the folder
diff --git a/htdocs/lib/uploadmanager.php b/htdocs/lib/uploadmanager.php
index 7bf5cdb..de40ee4 100644
--- a/htdocs/lib/uploadmanager.php
+++ b/htdocs/lib/uploadmanager.php
@@ -171,7 +171,7 @@ class upload_manager {
             $tmpname = $this->file['tmp_name'];
         }
         if (move_uploaded_file($tmpname, $destination . '/' . $newname)) {
-            chmod($destination . '/' . $newname, get_config('directorypermissions'));
+            chmod($destination . '/' . $newname, get_config('filepermissions'));
             return false;
         }
         return get_string('failedmovingfiletodataroot');