From f19305ce7406d959fdab35043dbe07735acd2d6a Mon Sep 17 00:00:00 2001
From: Thomas Leonard <talex5@gmail.com>
Date: Sun, 25 Feb 2007 11:58:22 +0000
Subject: [PATCH] Stricter permissions for unpacking:

- If any X bit is set, set all of them.
- Disable any special bits (setuid, etc).

git-svn-id: file:///home/talex/Backups/sf.net/Subversion/zero-install/trunk/0launch@1560 9f8c893c-44ee-0310-b757-c8ca8341c71e
---
 zeroinstall/zerostore/unpack.py | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/zeroinstall/zerostore/unpack.py b/zeroinstall/zerostore/unpack.py
index 2b12ad8..a6dd4ff 100644
--- a/zeroinstall/zerostore/unpack.py
+++ b/zeroinstall/zerostore/unpack.py
@@ -301,7 +301,14 @@ def extract_tar(stream, destdir, extract, decompress, start_offset = 0):
 			debug("Can't get uid/gid")
 
 		def chmod_extract(tarinfo):
-			tarinfo.mode = (tarinfo.mode | 0666) & ~current_umask
+			# If any X bit is set, they all must be
+			if tarinfo.mode & 0111:
+				tarinfo.mode |= 0111
+
+			# Everyone gets read and write (subject to the umask)
+			# No special bits are allowed.
+			tarinfo.mode = ((tarinfo.mode | 0666) & ~current_umask) & 0777
+
 			# Don't change owner, even if run as root
 			if uid:
 				tarinfo.uid = uid
-- 
2.11.4.GIT