[dev] imp-2.2.4 tmpfile problems ?

[Anil Madhavapeddy]

Jarno Huuskonen wrote:
>
> When user uploads an attachment file from the compose
> message window first php creates a temporary file
> (in upload_tmp_dir) usually the file will be something
> like /tmp/phpXXXXXX. Now it's upto compose.php3 to copy
> the file to safe place, and compose.php3 does this with
> copy(safe_file(...), safe_file(...) . '.att'). The
> problem is that the copy call is kind enough to follow
> symlinks.

The underlying system call used here by PHP4 is mkstemp().  glibc only
accepts six X entries for randomness, which is why there are six there.

> All you have do is create bunch of /tmp/phpXXXXXX.att
> symlinks and keep uploading attachments and you'll
> end up (over)writing some file with webserver permissions.

Hang on, this wont work.  mkstemp() will never overwrite a symlink - it
will create a unique filename, or fail.

On OpenBSD at least, I've patched PHP4 to use 10 X characters, which
makes it practically impossible to exploit.

http://demo.horde.org/devel/horde/chora/checkout.php/ports/www/php4/patc
hes/patch-main_php_open_temporary_file_c?rt=obsd&r=1.1

> I noticed from the archive that Jon Parise has submitted
> a patch for mimetypes.lib, so it'll use tempnam. Like I
> mentioned above php-3.0.18 tempnam is not safe to use
> (if the directory is world writable) because it has a temp-race
> problem.

All the temp problems are fixed (or will be, as soon as I commit the
rest of the new MIME stuff) in 2.3.x, since Horde::getTempFile() will
take care of securely creating a temporary file.

PHP3 isn't really maintained anymore either; it's probably a good idea
for you to migrate to PHP4 and use its temporary filename code.

Anil