[dev] imp-2.2.4 tmpfile problems ?
Anil Madhavapeddy
anil@recoil.org
Fri, 18 May 2001 13:02:30 +0100
Jarno Huuskonen wrote:
>
> When user uploads an attachment file from the compose
> message window first php creates a temporary file
> (in upload_tmp_dir) usually the file will be something
> like /tmp/phpXXXXXX. Now it's upto compose.php3 to copy
> the file to safe place, and compose.php3 does this with
> copy(safe_file(...), safe_file(...) . '.att'). The
> problem is that the copy call is kind enough to follow
> symlinks.
The underlying system call used here by PHP4 is mkstemp(). glibc only
accepts six X entries for randomness, which is why there are six there.
> All you have do is create bunch of /tmp/phpXXXXXX.att
> symlinks and keep uploading attachments and you'll
> end up (over)writing some file with webserver permissions.
Hang on, this wont work. mkstemp() will never overwrite a symlink - it
will create a unique filename, or fail.
On OpenBSD at least, I've patched PHP4 to use 10 X characters, which
makes it practically impossible to exploit.
http://demo.horde.org/devel/horde/chora/checkout.php/ports/www/php4/patc
hes/patch-main_php_open_temporary_file_c?rt=obsd&r=1.1
> I noticed from the archive that Jon Parise has submitted
> a patch for mimetypes.lib, so it'll use tempnam. Like I
> mentioned above php-3.0.18 tempnam is not safe to use
> (if the directory is world writable) because it has a temp-race
> problem.
All the temp problems are fixed (or will be, as soon as I commit the
rest of the new MIME stuff) in 2.3.x, since Horde::getTempFile() will
take care of securely creating a temporary file.
PHP3 isn't really maintained anymore either; it's probably a good idea
for you to migrate to PHP4 and use its temporary filename code.
Anil