Non-executable files set with executable permissions

[mensfeld]

Hey there,

While reviewing the source code of alchemy_cms I've noticed, that several files in the app/assets directory have executable permissions while not being an executables.

For example:

app/assets/stylesheets/tinymce/skins/alchemy/fonts/tinymce-small.sv
app/assets/stylesheets/tinymce/skins/alchemy/img/anchor.gif
app/assets/stylesheets/tinymce/skins/alchemy/img/trans.gif

is that something intended? If so, I would appreciate explanation as I often find it as a bug.

Thank you 🙏

[tvdeyen]

This is not intentional. Thanks for reporting.

Out of curiosity what is the bug you are having?

[mensfeld]

Out of curiosity what is the bug you are having?

No bug. By saying "I often find it as a bug" I wanted to indicate that usually it is not intentional.

[tvdeyen]

So, do you think the maintainers need to take action on this or can we close this then, because it does not seem to break someones production site, right?

I am happy to accept a PR that changes those files permissions, though.

[mensfeld]

That is actually a good question. In general I think that only executable files should be executables as that indicates what can be executed. I'm happy to fix that in this repo, so if you don't mind lets keep it open till tomorrow (when I can submit a patch).

One security case that I've seen that could exploit that, is with types mismatch (it did happen) when png files were executables with cryptojacking code.