Bug 41229 - php-3.0.18 uses insecure tmp-files
Summary: php-3.0.18 uses insecure tmp-files
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: php
Version: 6.2
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Joe Orton
QA Contact: David Lawrence
URL:
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2001-05-18 11:46 UTC by Jarno Huuskonen
Modified: 2007-04-18 16:33 UTC (History)
1 user (show)

(edit)
Clone Of:
(edit)
Last Closed: 2003-04-02 11:02:33 UTC


Attachments (Terms of Use)
Experimental patch for php-3.0.18 to use mkstemp/fdopen for file uploads (3.55 KB, patch)
2001-05-18 11:48 UTC, Jarno Huuskonen
no flags Details | Diff
Fixed patch: Now should work when upload_tmp_dir is not set. (3.89 KB, patch)
2001-05-20 15:39 UTC, Jarno Huuskonen
no flags Details | Diff

Description Jarno Huuskonen 2001-05-18 11:46:59 UTC
Description of Problem:
Php tempnam function creates insecure temporary filenames. This
function calls mktemp/tempnam --> files are created afterwards without
O_EXCL. Insecure temporary files are created for example with form
fileuploads.

This can be quite nasty with imp-webmail: First user uploads a file (so
user controls the filecontent) and php3 creates tmp file
called "/tmp/phpXXXXXX" (this file creation has the tmp-race). After
that it's imps job to copy the tmp file, and imp does a
copy("/tmp/phpXXXXXX", "/tmp/phpXXXXXXX.att") without checking that the
/tmp/phpXXXXXX.att file doesn't exist (imp problem).

One possible workaround is to set the 'upload_tmp_dir' variable in 
php3.ini away from world-writable directory.

-Jarno

Comment 1 Jarno Huuskonen 2001-05-18 11:48:26 UTC
Created attachment 18890 [details]
Experimental patch for php-3.0.18 to use mkstemp/fdopen for file uploads

Comment 2 Jarno Huuskonen 2001-05-20 15:39:27 UTC
Created attachment 19072 [details]
Fixed patch: Now should work when upload_tmp_dir is not set.

Comment 3 Kjartan Maraas 2003-03-31 20:29:18 UTC
Is this still relevant?

Comment 4 Mark J. Cox 2003-04-02 11:02:33 UTC
6.2 is no longer supported for errata and was the last Red Hat version to ship
with PHP version 3


Note You need to log in before you can comment on or make changes to this bug.