diff --git a/composer/Plugin/VendorHardening/FileSecurity.php b/composer/Plugin/VendorHardening/FileSecurity.php index 263314582a51bed5cb19f0d5e28eae8da9fcd957..6e89744beb9f01738a972967e8dcf9e88612de8c 100644 --- a/composer/Plugin/VendorHardening/FileSecurity.php +++ b/composer/Plugin/VendorHardening/FileSecurity.php @@ -28,7 +28,7 @@ class FileSecurity { * TRUE if the file already exists or was created. FALSE otherwise. */ public static function writeHtaccess($directory, $deny_public_access = TRUE, $force = FALSE) { - return self::writeFile($directory, '/.htaccess', self::htaccessLines($deny_public_access), $force); + return self::writeFile($directory, '.htaccess', self::htaccessLines($deny_public_access), $force); } /** @@ -112,7 +112,7 @@ protected static function denyPublicAccess() { * TRUE if the file already exists or was created. FALSE otherwise. */ public static function writeWebConfig($directory, $force = FALSE) { - return self::writeFile($directory, '/web.config', self::webConfigLines(), $force); + return self::writeFile($directory, 'web.config', self::webConfigLines(), $force); } /** @@ -154,7 +154,9 @@ protected static function writeFile($directory, $filename, $contents, $force) { if (file_exists($file_path) && !$force) { return TRUE; } - if (file_exists($directory) && is_writable($directory) && file_put_contents($file_path, $contents)) { + // Try to write the file. This can fail if concurrent requests are both + // trying to write a the same time. + if (@file_put_contents($file_path, $contents)) { return @chmod($file_path, 0444); } return FALSE; diff --git a/core/lib/Drupal/Component/FileSecurity/FileSecurity.php b/core/lib/Drupal/Component/FileSecurity/FileSecurity.php index d9996bbbca211b07097950278216cf508e714b7c..1b90afd8ddae92b772963b6920a3299dff68a33e 100644 --- a/core/lib/Drupal/Component/FileSecurity/FileSecurity.php +++ b/core/lib/Drupal/Component/FileSecurity/FileSecurity.php @@ -26,7 +26,7 @@ class FileSecurity { * TRUE if the file already exists or was created. FALSE otherwise. */ public static function writeHtaccess($directory, $deny_public_access = TRUE, $force = FALSE) { - return self::writeFile($directory, '/.htaccess', self::htaccessLines($deny_public_access), $force); + return self::writeFile($directory, '.htaccess', self::htaccessLines($deny_public_access), $force); } /** @@ -110,7 +110,7 @@ protected static function denyPublicAccess() { * TRUE if the file already exists or was created. FALSE otherwise. */ public static function writeWebConfig($directory, $force = FALSE) { - return self::writeFile($directory, '/web.config', self::webConfigLines(), $force); + return self::writeFile($directory, 'web.config', self::webConfigLines(), $force); } /** @@ -152,7 +152,12 @@ protected static function writeFile($directory, $filename, $contents, $force) { if (file_exists($file_path) && !$force) { return TRUE; } - if (file_exists($directory) && is_writable($directory) && file_put_contents($file_path, $contents)) { + // Writing the file can fail if: + // - concurrent requests are both trying to write at the same time. + // - $directory does not exist or is not writable. + // Testing for these conditions introduces windows for concurrency issues to + // occur. + if (@file_put_contents($file_path, $contents)) { return @chmod($file_path, 0444); } return FALSE;