Bug 41229
| Summary: | php-3.0.18 uses insecure tmp-files | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Retired] Red Hat Linux | Reporter: | Jarno Huuskonen <jarno.huuskonen> | ||||||
| Component: | php | Assignee: | Joe Orton <jorton> | ||||||
| Status: | CLOSED WONTFIX | QA Contact: | David Lawrence <dkl> | ||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | medium | ||||||||
| Version: | 6.2 | CC: | kmaraas | ||||||
| Target Milestone: | --- | Keywords: | Security | ||||||
| Target Release: | --- | ||||||||
| Hardware: | i386 | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2003-04-02 11:02:33 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
Created attachment 18890 [details]
Experimental patch for php-3.0.18 to use mkstemp/fdopen for file uploads
Created attachment 19072 [details]
Fixed patch: Now should work when upload_tmp_dir is not set.
Is this still relevant? 6.2 is no longer supported for errata and was the last Red Hat version to ship with PHP version 3 |
Description of Problem: Php tempnam function creates insecure temporary filenames. This function calls mktemp/tempnam --> files are created afterwards without O_EXCL. Insecure temporary files are created for example with form fileuploads. This can be quite nasty with imp-webmail: First user uploads a file (so user controls the filecontent) and php3 creates tmp file called "/tmp/phpXXXXXX" (this file creation has the tmp-race). After that it's imps job to copy the tmp file, and imp does a copy("/tmp/phpXXXXXX", "/tmp/phpXXXXXXX.att") without checking that the /tmp/phpXXXXXX.att file doesn't exist (imp problem). One possible workaround is to set the 'upload_tmp_dir' variable in php3.ini away from world-writable directory. -Jarno