From: Stefan Eissing <icing@apache.org>
Date: Thu, 4 Apr 2019 13:42:52 +0000 (+0000)
Subject: Merged /httpd/httpd/trunk:r1856297
X-Git-Tag: 2.4.40~148
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fe13ac135e1698a5a5de54b89afd10903bb38b6f;p=thirdparty%2Fapache%2Fhttpd.git

Merged /httpd/httpd/trunk:r1856297

  *) mod_md: Store permissions are enforced on file creation, enforcing restrictions in
     spite of umask. Fixes <https://github.com/icing/mod_md/issues/117>. [Stefan Eissing]



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1856935 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index c4deafbdeae..62b5f74b38e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,9 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.4.40
 
+  *) mod_md: Store permissions are enforced on file creation, enforcing restrictions in
+     spite of umask. Fixes <https://github.com/icing/mod_md/issues/117>. [Stefan Eissing]
+
 Changes with Apache 2.4.39
   *) SECURITY: CVE-2019-0197 (cve.mitre.org)
      mod_http2: fixes a possible crash when HTTP/2 was enabled for a http:
diff --git a/modules/md/md_util.c b/modules/md/md_util.c
index 4e97d92bd3f..83c6a4b5231 100644
--- a/modules/md/md_util.c
+++ b/modules/md/md_util.c
@@ -194,8 +194,20 @@ apr_status_t md_util_fopen(FILE **pf, const char *fn, const char *mode)
 apr_status_t md_util_fcreatex(apr_file_t **pf, const char *fn, 
                               apr_fileperms_t perms, apr_pool_t *p)
 {
-    return apr_file_open(pf, fn, (APR_FOPEN_WRITE|APR_FOPEN_CREATE|APR_FOPEN_EXCL),
-                         perms, p);
+    apr_status_t rv;
+    rv = apr_file_open(pf, fn, (APR_FOPEN_WRITE|APR_FOPEN_CREATE|APR_FOPEN_EXCL),
+                       perms, p);
+    if (APR_SUCCESS == rv) {
+        /* See <https://github.com/icing/mod_md/issues/117>
+         * Some people set umask 007 to deny all world read/writability to files
+         * created by apache. While this is a noble effort, we need the store files
+         * to have the permissions as specified. */
+        rv = apr_file_perms_set(fn, perms);
+        if (APR_STATUS_IS_ENOTIMPL(rv)) {
+            rv = APR_SUCCESS;
+        }
+    }
+    return rv;
 }
 
 apr_status_t md_util_is_dir(const char *path, apr_pool_t *pool)
diff --git a/modules/md/md_version.h b/modules/md/md_version.h
index 48e91a0585b..a7e2e51c28f 100644
--- a/modules/md/md_version.h
+++ b/modules/md/md_version.h
@@ -27,7 +27,7 @@
  * @macro
  * Version number of the md module as c string
  */
-#define MOD_MD_VERSION "1.1.17"
+#define MOD_MD_VERSION "1.1.19"
 
 /**
  * @macro
@@ -35,7 +35,7 @@
  * release. This is a 24 bit number with 8 bits for major number, 8 bits
  * for minor and 8 bits for patch. Version 1.2.3 becomes 0x010203.
  */
-#define MOD_MD_VERSION_NUM 0x010111
+#define MOD_MD_VERSION_NUM 0x010113
 
 #define MD_ACME_DEF_URL    "https://acme-v01.api.letsencrypt.org/directory"