[Tickets #11756] security: do not use sys_get_temp_dir()

[bugs at horde.org]

DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.

Ticket URL: http://bugs.horde.org/ticket/11756
------------------------------------------------------------------------------
  Ticket             | 11756
  Created By         | enrico.scholz at sigma-chemnitz.de
  Summary            | security: do not use sys_get_temp_dir()
  Queue              | Horde Framework Packages
  Version            | Git master
  Type               | Bug
  State              | Unconfirmed
  Priority           | 2. Medium
  Milestone          |
  Patch              |
  Owners             |
------------------------------------------------------------------------------


enrico.scholz at sigma-chemnitz.de (2012-11-25 21:58) wrote:

Horde places files with hardcoded names (e.g. 'horde_cache_gc' or  
'passwd.lock') into the directory returned by sys_get_temp_dir().   
Unfortunately, this function is broken by returning always the  
world-writable /tmp directory and there is no way to change this (I am  
aware of modifying the TMPDIR environment variable, but this requires  
changes in the apache startup script affecting the whole apache server  
inclusive unrelated vhosts).

Having cache data in /tmp requires to add this directory to  
'open_basedir' which opens vectors for other security holes.

There are functional problems too when different vhosts with perhaps  
different horde versions are accessing the same /tmp/horde_cache_gc  
file.

You should replace all occurrences of sys_get_temp_dir() with a  
utility function which returns e.g.

| getenv('TMPDIR') ? getenv('TMPDIR') : sys_get_temp_dir()

So, TMPDIR can be configured per vhost/directory an the apache configuration.