From fea6131ed908140153fc1bbaa6a81571e734f151 Mon Sep 17 00:00:00 2001
From: Tim Otten <totten@civicrm.org>
Date: Wed, 5 Feb 2014 10:54:22 -0800
Subject: [PATCH] More consistently restrict access to template, config/log,
 and upload dirs.

---
 CRM/Core/Config.php          | 12 +++++++++++-
 CRM/Utils/Check/Security.php |  6 +++++-
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/CRM/Core/Config.php b/CRM/Core/Config.php
index 377cec0afe..86921c8efd 100644
--- a/CRM/Core/Config.php
+++ b/CRM/Core/Config.php
@@ -335,6 +335,7 @@ class CRM_Core_Config extends CRM_Core_Config_Variables {
         CRM_Utils_File::baseFilePath($this->templateCompileDir) .
         'ConfigAndLog' . DIRECTORY_SEPARATOR;
       CRM_Utils_File::createDir($this->configAndLogDir);
+      CRM_Utils_File::restrictAccess($this->configAndLogDir);
 
       // we're automatically prefixing compiled templates directories with country/language code
       global $tsLocale;
@@ -346,6 +347,7 @@ class CRM_Core_Config extends CRM_Core_Config_Variables {
       }
 
       CRM_Utils_File::createDir($this->templateCompileDir);
+      CRM_Utils_File::restrictAccess($this->templateCompileDir);
     }
     elseif ($loadFromDB) {
       echo 'You need to define CIVICRM_TEMPLATE_COMPILEDIR in civicrm.settings.php';
@@ -466,6 +468,7 @@ class CRM_Core_Config extends CRM_Core_Config_Variables {
         if (substr($this->templateCompileDir, -1 * strlen($value) - 1, -1) != $value) {
           $this->templateCompileDir .= CRM_Utils_File::addTrailingSlash($value);
           CRM_Utils_File::createDir($this->templateCompileDir);
+          CRM_Utils_File::restrictAccess($this->templateCompileDir);
         }
       }
 
@@ -623,7 +626,14 @@ class CRM_Core_Config extends CRM_Core_Config_Variables {
       // clean upload dir
       CRM_Utils_File::cleanDir($this->uploadDir);
       CRM_Utils_File::createDir($this->uploadDir);
-      CRM_Utils_File::restrictAccess($this->uploadDir);
+    }
+
+    // Whether we delete/create or simply preserve directories, we should
+    // certainly make sure the restrictions are enforced.
+    foreach (array($this->templateCompileDir, $this->uploadDir, $this->configAndLogDir) as $dir) {
+      if ($dir && is_dir($dir)) {
+        CRM_Utils_File::restrictAccess($dir);
+      }
     }
   }
 
diff --git a/CRM/Utils/Check/Security.php b/CRM/Utils/Check/Security.php
index 2783c1ccf3..32849c18ba 100644
--- a/CRM/Utils/Check/Security.php
+++ b/CRM/Utils/Check/Security.php
@@ -82,6 +82,11 @@ class CRM_Utils_Check_Security {
     if (CRM_Core_Permission::check('administer CiviCRM')) {
       $session = CRM_Core_Session::singleton();
       if ($session->timer('check_' . __CLASS__, self::CHECK_TIMER)) {
+
+        // Best attempt at re-securing folders
+        $config = CRM_Core_Config::singleton();
+        $config->cleanup(0, FALSE);
+
         foreach ($this->checkAll() as $message) {
           CRM_Core_Session::setStatus($message, ts('Security Warning'));
         }
@@ -138,7 +143,6 @@ class CRM_Utils_Check_Security {
     $log = CRM_Core_Error::createDebugLogger();
     $log_filename = $log->_filename;
 
-    $config = CRM_Core_Config::singleton();
     $filePathMarker = $this->getFilePathMarker();
 
     // Hazard a guess at the URL of the logfile, based on common
-- 
2.25.1