Hacker News new | past | comments | ask | show | jobs | submit login

> It boggles my mind why Magento would willingly distribute unsafe code this way, assuming users would just find out to download the patches separately.

Because Magento are OBSERVABLY INSANE.

This is from the Magento Enterprise tarball. I can't say how much we're paying, but I can say it's public knowledge that it's at least $13,000 a year:

  $ grep -r chmod app | grep 777
 app/code/local/Gorilla/Heartbeat/Helper/Data.php:  chmod($logDir, 0777); 
 app/code/local/Gorilla/Heartbeat/Helper/Data.php:  chmod($logFile, 0777); 
 app/code/core/Mage/Install/Model/Installer/Console.php:   @chmod('var/cache', 0777); 
 app/code/core/Mage/Install/Model/Installer/Console.php:   @chmod('var/session', 0777); 
 app/code/core/Mage/Install/Model/Installer/Config.php:   chmod($this->_localConfigFile, 0777); 
 app/code/core/Mage/Compiler/Model/Process.php:   @chmod($dir, 0777); 
 app/code/core/Mage/Catalog/Model/Product/Attribute/Backend/Media.php:  $ioAdapter->chmod($this->_getConfig()->getTmpMediaPath($fileName), 0777); 
 app/Mage.php:   chmod($logDir, 0777); 
 app/Mage.php:   chmod($logFile, 0777);



The first two are a third party module. If 0777 is objectionable then I'm surprised you are using the module or haven't at least patched it - not trying to snark, just wondering if there's some additional context.

There don't seem to be any specific vulnerabilities related to these permissions, though I'd like to see them go away. It's my understanding that 777 will not exist in Magento 2.


>The first two are a third party module.

As I said: Magento Enterprise tar ball, supplied at considerable expense straight from Magento. Magento bears full responsibility for the contents.

You really seriously just don't have any excuse for this sort of thing.

> There don't seem to be any specific vulnerabilities related to these permissions, though I'd like to see them go away.

Only someone working for Magento could claim 777 is ever not a hideously terrible idea to have in the webroot of a PHP application. This is frankly insane behaviour. It's like running applications as root in the general case and saying "well, we haven't found a vulnerability yet." YOU REALISE PEOPLE PUT REAL MONEY THROUGH THIS THING.

> It's my understanding that 777 will not exist in Magento 2.

I look forward to it.


> As I said: Magento Enterprise tar ball, supplied at considerable expense straight from Magento.

Is this a download from the partner portal? I've asked support to check, but you can probably point out the source much more quickly than I can track it down.

> Only someone working for Magento could claim 777 is ever not a hideously terrible idea to have in the webroot of a PHP application

I did not make this claim. I stated that I wish it were not there. It's not necessary, as the kinds of environments in which 777 are necessary are a problem unto themselves. These instances are borne of legacy concerns which pre-date my arrival to Magento by 6 or 7 years. Pity they were not patched before now

Have you ever filed a bug report for this issue? I can imagine you might say, "I shouldn't have to," (and I agree), but it's remarkable what even a single ticket can do.

In general, it's unfortunate that Magento 1.x development and bug tracking are so... internal. In contrast to the visibility and interaction present at https://github.com/magento/magento2/issues it's clear that everyone is better off. Of course, we have to consider how to have the same kind of open dialogue for Enterprise Edition, and we're working out how to do that. Would you care to participate in a private GitHub repo, or can you suggest some other medium? Really, neither you nor I should have to spend time writing about the 777 issue - an open dialogue would likely have led this to be fixed years ago, so we could spend time bemoaning & fixing other issues!


Support just confirmed that we do not ship any code in local. Given the namespace I'm assuming your shop works with Gorilla?




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: