imp-2.2.4 tmpfile problems ?

Jarno Huuskonen Jarno.Huuskonen@uku.fi
Fri, 18 May 2001 14:28:49 +0300


Hi,

I tried sending this to chuck and imp-list but at least the imp-list message
bounced because I hadn't subscribed to the list.

Problem1:
I may have found some tempfile problems in imp-2.2.4. The problem seems
similar to some earlier imp attachment problems.

When user uploads an attachment file from the compose message window
first php creates a temporary file (in upload_tmp_dir) usually the file
will be something like /tmp/phpXXXXXX. Now it's upto compose.php3 to copy
the file to safe place, and compose.php3 does this with copy(safe_file(...),
safe_file(...) . '.att'). The problem is that the copy call is kind enough
to follow symlinks. All you have do is create bunch of /tmp/phpXXXXXX.att
symlinks and keep uploading attachments and you'll end up (over)writing some
file with webserver permissions.

This is a problem when users have access to the imp server and the temporary
files are created in world writable directory.

The problem can be remedied by setting php3.ini upload_tmp_dir to
for example /tmp/.imp-attachment. And setting the owner of this directory
to webserver user (usually nobody:nobody) and permissions 0700.

I think it would be a good idea to instruct people to use the upload_tmp_dir
in docs/SECURITY.

(Also when php-3.0.18 creates the first temporary file it doesn't use
O_EXCL in the open call (this is a php3 bug). And if apache is started
when TMPDIR is set php3 will try to create temporary files in TMPDIR.)

Problem2:
imp/lib/mimetypes.lib Uses temporary filenames like:
'/tmp/imp.' . date('Y-M-D_H:i:s') . '__' . md5($contents) ...
I can see some problems with this: 'Very easy' to abuse temp-race, because the
file is opened with fopen (no symlink checks) (and the file name is easily
guessed).

Also the filename is passed 'as is' to popen, but I hope that md5 will never
generate a checksum like `touch /tmp/I_Win`.

I noticed from the archive that Jon Parise has submitted a patch for
mimetypes.lib, so it'll use tempnam. Like I mentioned above php-3.0.18
tempnam is not safe to use (if the directory is world writable) because it
has a temp-race problem.

-Jarno

-- 
Jarno Huuskonen - System Administrator   |  Jarno.Huuskonen@uku.fi
University of Kuopio - Computer Center   |  Work:   +358 17 162822
PO BOX 1627, 70211 Kuopio, Finland       |  Mobile: +358 40 5388169