Bug 41229 - php-3.0.18 uses insecure tmp-files
php-3.0.18 uses insecure tmp-files
Status: CLOSED WONTFIX
Product: Red Hat Linux
Classification: Retired
Component: php (Show other bugs)
6.2
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Joe Orton
David Lawrence
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2001-05-18 07:46 EDT by Jarno Huuskonen
Modified: 2007-04-18 12:33 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-04-02 06:02:33 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Experimental patch for php-3.0.18 to use mkstemp/fdopen for file uploads (3.55 KB, patch)
2001-05-18 07:48 EDT, Jarno Huuskonen
no flags Details | Diff
Fixed patch: Now should work when upload_tmp_dir is not set. (3.89 KB, patch)
2001-05-20 11:39 EDT, Jarno Huuskonen
no flags Details | Diff

  None (edit)
Description Jarno Huuskonen 2001-05-18 07:46:59 EDT
Description of Problem:
Php tempnam function creates insecure temporary filenames. This
function calls mktemp/tempnam --> files are created afterwards without
O_EXCL. Insecure temporary files are created for example with form
fileuploads.

This can be quite nasty with imp-webmail: First user uploads a file (so
user controls the filecontent) and php3 creates tmp file
called "/tmp/phpXXXXXX" (this file creation has the tmp-race). After
that it's imps job to copy the tmp file, and imp does a
copy("/tmp/phpXXXXXX", "/tmp/phpXXXXXXX.att") without checking that the
/tmp/phpXXXXXX.att file doesn't exist (imp problem).

One possible workaround is to set the 'upload_tmp_dir' variable in 
php3.ini away from world-writable directory.

-Jarno
Comment 1 Jarno Huuskonen 2001-05-18 07:48:26 EDT
Created attachment 18890 [details]
Experimental patch for php-3.0.18 to use mkstemp/fdopen for file uploads
Comment 2 Jarno Huuskonen 2001-05-20 11:39:27 EDT
Created attachment 19072 [details]
Fixed patch: Now should work when upload_tmp_dir is not set.
Comment 3 Kjartan Maraas 2003-03-31 15:29:18 EST
Is this still relevant?
Comment 4 Mark J. Cox (Product Security) 2003-04-02 06:02:33 EST
6.2 is no longer supported for errata and was the last Red Hat version to ship
with PHP version 3

Note You need to log in before you can comment on or make changes to this bug.