From 1d00482e85d824ec018c5bba69ddb53c4588435f Mon Sep 17 00:00:00 2001
From: Sohail Lajevardi <doxigo@gmail.com>
Date: Thu, 19 Feb 2026 10:55:51 +0330
Subject: [PATCH] Harden default Drupal scaffold file permissions

Replace defaults in composer scaffold script
- Use 0644 for `settings.php`
- Use 0775 for `sites/default/files`
---
 scripts/composer/ScriptHandler.php | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/scripts/composer/ScriptHandler.php b/scripts/composer/ScriptHandler.php
index 4e680803a..5bab95345 100644
--- a/scripts/composer/ScriptHandler.php
+++ b/scripts/composer/ScriptHandler.php
@@ -17,6 +17,16 @@
  */
 class ScriptHandler {
 
+  /**
+   * Default permission for settings.php.
+   */
+  private const SETTINGS_FILE_MODE = 0644;
+
+  /**
+   * Default permission for public files directory.
+   */
+  private const PUBLIC_FILES_DIRECTORY_MODE = 0775;
+
   /**
    * Creates required Drupal directories and files to ensure proper installation.
    *
@@ -65,16 +75,16 @@ public static function createRequiredFiles(Event $event) {
         'required' => TRUE,
       ];
       SettingsEditor::rewrite($drupalRoot . '/sites/default/settings.php', $settings);
-      $fs->chmod($drupalRoot . '/sites/default/settings.php', 0666);
-      $event->getIO()->write("Created a sites/default/settings.php file with chmod 0666");
+      $fs->chmod($drupalRoot . '/sites/default/settings.php', self::SETTINGS_FILE_MODE);
+      $event->getIO()->write(sprintf('Created a sites/default/settings.php file with chmod %04o', self::SETTINGS_FILE_MODE));
     }
 
-    // Create the files directory with chmod 0777.
+    // Create the files directory with group-writable permissions.
     if (!$fs->exists($drupalRoot . '/sites/default/files') && !is_link($drupalRoot . '/sites/default/files')) {
       $oldmask = umask(0);
-      $fs->mkdir($drupalRoot . '/sites/default/files', 0777);
+      $fs->mkdir($drupalRoot . '/sites/default/files', self::PUBLIC_FILES_DIRECTORY_MODE);
       umask($oldmask);
-      $event->getIO()->write("Created a sites/default/files directory with chmod 0777");
+      $event->getIO()->write(sprintf('Created a sites/default/files directory with chmod %04o', self::PUBLIC_FILES_DIRECTORY_MODE));
     }
   }