restrict folder permissions of file storage to 0644

chillerlan · Apr 2, 2024 · c051b25 · c051b25
1 parent f1ab4b0
commit c051b25
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 2 deletions.
diff --git a/docs/Basics/Configuration-settings.md b/docs/Basics/Configuration-settings.md
@@ -15,6 +15,27 @@ The application secret given by your provider
 The (main) callback URL associated with your application
 
 
+## useStorageEncryption
+
+Whether to use encryption for the file storage
+
+
+**See also:**
+
+- `\chillerlan\OAuth\Storage\FileStorage`
+
+
+## storageEncryptionKey
+
+The encryption key to use
+
+
+**See also:**
+
+- [php.net: `\sodium_crypto_secretbox_keygen()`](https://www.php.net/manual/function.sodium-crypto-secretbox-keygen)
+- `\chillerlan\OAuth\Storage\FileStorage`
+
+
 ## tokenAutoRefresh
 
 Whether to automatically refresh access tokens (OAuth2)
@@ -70,3 +91,14 @@ The session array key for <state> storage (OAuth2)
 
 - `\chillerlan\OAuth\Storage\SessionStorage`
 
+
+## fileStoragePath
+
+The file storage root path (requires permissions 0777)
+
+
+**See also:**
+
+- [php.net: `\is_writable()`](https://www.php.net/manual/function.is-writable)
+- `\chillerlan\OAuth\Storage\FileStorage`
+
diff --git a/src/OAuthOptionsTrait.php b/src/OAuthOptionsTrait.php
@@ -92,8 +92,9 @@ trait OAuthOptionsTrait{
 	protected string $sessionStateVar = 'chillerlan-oauth-state';
 
 	/**
-	 * The file storage root path
+	 * The file storage root path (requires permissions 0777)
 	 *
+	 * @see \is_writable()
 	 * @see \chillerlan\OAuth\Storage\FileStorage
 	 */
 	protected string $fileStoragePath = '';

diff --git a/src/Storage/FileStorage.php b/src/Storage/FileStorage.php
@@ -21,7 +21,13 @@
 use const DIRECTORY_SEPARATOR;
 
 /**
+ * Implements a memory storage adapter.
  *
+ * Please note that the storage root directory needs permissions 0777 or `is_writable()` will fail.
+ * Subfolders created by this class will have permissions set to 0644.
+ *
+ * @see \is_writable()
+ * @see \chillerlan\OAuth\OAuthOptions::$fileStoragePath
  */
 class FileStorage extends OAuthStorageAbstract{
 
@@ -181,7 +187,7 @@ protected function saveFile(string $data, string $key, string $provider):void{
 		$path = $this->getFilepath($key, $provider);
 		$dir  = dirname($path);
 
-		if(!is_dir($dir) && !mkdir($dir, 0o755, true)){
+		if(!is_dir($dir) && !mkdir($dir, 0o644, true)){
 			throw new OAuthStorageException(sprintf('could not create directory "%s"', $dir)); // @codeCoverageIgnore
 		}