change default OUTPUT_PERMISSIONS to disallow execution except on dirs

2025-08-08 07:36:31 +02:00 · 2021-05-31 19:31:42 -04:00
parent 1112526543
commit 8230f88d80
2 changed files with 8 additions and 2 deletions
--- a/archivebox/config.py
+++ b/archivebox/config.py
@@ -74,7 +74,7 @@ CONFIG_SCHEMA: Dict[str, ConfigDefaultDict] = {
        'ONLY_NEW':                 {'type': bool,  'default': True},
        'TIMEOUT':                  {'type': int,   'default': 60},
        'MEDIA_TIMEOUT':            {'type': int,   'default': 3600},
-        'OUTPUT_PERMISSIONS':       {'type': str,   'default': '755'},
+        'OUTPUT_PERMISSIONS':       {'type': str,   'default': '644'},
        'RESTRICT_FILE_NAMES':      {'type': str,   'default': 'windows'},
        'URL_BLACKLIST':            {'type': str,   'default': r'\.(css|js|otf|ttf|woff|woff2|gstatic\.com|googleapis\.com/css)(\?.*)?$'},  # to avoid downloading code assets as their own pages
        'ENFORCE_ATOMIC_WRITES':    {'type': bool,  'default': True},
--- a/archivebox/system.py
+++ b/archivebox/system.py
@@ -117,9 +117,15 @@ def chmod_file(path: str, cwd: str='.', permissions: str=OUTPUT_PERMISSIONS) ->
        raise Exception('Failed to chmod: {} does not exist (did the previous step fail?)'.format(path))

    if not root.is_dir():
+        # path is just a plain file
        os.chmod(root, int(OUTPUT_PERMISSIONS, base=8))
    else:
        for subpath in Path(path).glob('**/*'):
+            if subpath.is_dir():
+                # directories need execute permissions to be able to list contents
+                perms_with_x_allowed = OUTPUT_PERMISSIONS.replace('4', '5').replace('6', '7')
+                os.chmod(subpath, int(perms_with_x_allowed, base=8))
+            else:
                os.chmod(subpath, int(OUTPUT_PERMISSIONS, base=8))