From 8a9cfeb48855b82576e99fc3f64eb50cec4c3422 Mon Sep 17 00:00:00 2001
From: catch <catch@35733.no-reply.drupal.org>
Date: Mon, 29 Jun 2020 12:54:11 +0100
Subject: [PATCH] Issue #2834525 by alexpott, kim.pepper, jummonk,
 joshua.roberson, Ruuds: Permission denied caused by race condition during
 ensureDirectory should be silenced

(cherry picked from commit 16209df49673e360579af9efcaa242c1014565ce)
---
 composer/Plugin/VendorHardening/FileSecurity.php      |  8 +++++---
 .../Drupal/Component/FileSecurity/FileSecurity.php    | 11 ++++++++---
 2 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/composer/Plugin/VendorHardening/FileSecurity.php b/composer/Plugin/VendorHardening/FileSecurity.php
index 263314582a5..6e89744beb9 100644
--- a/composer/Plugin/VendorHardening/FileSecurity.php
+++ b/composer/Plugin/VendorHardening/FileSecurity.php
@@ -28,7 +28,7 @@ class FileSecurity {
    *   TRUE if the file already exists or was created. FALSE otherwise.
    */
   public static function writeHtaccess($directory, $deny_public_access = TRUE, $force = FALSE) {
-    return self::writeFile($directory, '/.htaccess', self::htaccessLines($deny_public_access), $force);
+    return self::writeFile($directory, '.htaccess', self::htaccessLines($deny_public_access), $force);
   }
 
   /**
@@ -112,7 +112,7 @@ EOF;
    *   TRUE if the file already exists or was created. FALSE otherwise.
    */
   public static function writeWebConfig($directory, $force = FALSE) {
-    return self::writeFile($directory, '/web.config', self::webConfigLines(), $force);
+    return self::writeFile($directory, 'web.config', self::webConfigLines(), $force);
   }
 
   /**
@@ -154,7 +154,9 @@ EOT;
     if (file_exists($file_path) && !$force) {
       return TRUE;
     }
-    if (file_exists($directory) && is_writable($directory) && file_put_contents($file_path, $contents)) {
+    // Try to write the file. This can fail if concurrent requests are both
+    // trying to write a the same time.
+    if (@file_put_contents($file_path, $contents)) {
       return @chmod($file_path, 0444);
     }
     return FALSE;
diff --git a/core/lib/Drupal/Component/FileSecurity/FileSecurity.php b/core/lib/Drupal/Component/FileSecurity/FileSecurity.php
index d9996bbbca2..1b90afd8dda 100644
--- a/core/lib/Drupal/Component/FileSecurity/FileSecurity.php
+++ b/core/lib/Drupal/Component/FileSecurity/FileSecurity.php
@@ -26,7 +26,7 @@ class FileSecurity {
    *   TRUE if the file already exists or was created. FALSE otherwise.
    */
   public static function writeHtaccess($directory, $deny_public_access = TRUE, $force = FALSE) {
-    return self::writeFile($directory, '/.htaccess', self::htaccessLines($deny_public_access), $force);
+    return self::writeFile($directory, '.htaccess', self::htaccessLines($deny_public_access), $force);
   }
 
   /**
@@ -110,7 +110,7 @@ EOF;
    *   TRUE if the file already exists or was created. FALSE otherwise.
    */
   public static function writeWebConfig($directory, $force = FALSE) {
-    return self::writeFile($directory, '/web.config', self::webConfigLines(), $force);
+    return self::writeFile($directory, 'web.config', self::webConfigLines(), $force);
   }
 
   /**
@@ -152,7 +152,12 @@ EOT;
     if (file_exists($file_path) && !$force) {
       return TRUE;
     }
-    if (file_exists($directory) && is_writable($directory) && file_put_contents($file_path, $contents)) {
+    // Writing the file can fail if:
+    // - concurrent requests are both trying to write at the same time.
+    // - $directory does not exist or is not writable.
+    // Testing for these conditions introduces windows for concurrency issues to
+    // occur.
+    if (@file_put_contents($file_path, $contents)) {
       return @chmod($file_path, 0444);
     }
     return FALSE;