php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #33254 tempnam security problem?
Submitted: 2005-06-06 10:14 UTC Modified: 2005-06-21 01:00 UTC
Votes:3
Avg. Score:4.3 ± 0.9
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:1 (50.0%)
From: unknown-php at masterhost dot ru Assigned:
Status: No Feedback Package: Safe Mode/open_basedir
PHP Version: 4.3.11 OS: FreeBSD
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2005-06-06 10:14 UTC] unknown-php at masterhost dot ru
Description:
------------
  We have a mass virtual hosting server. Regardless of the open_basedir and other restriction, we can't restrict temp file creation to directory onside the user's home dir. Therefore user can create huge amount of files and overfull the file system, and we can't supervise it and even can't determine which user has created these files.
  It seems to be a bug or omission that tempnam can create files outside the open_basedir and there no another restriction for it. I think it should be any restriction to prevent situations like this.

Reproduce code:
---------------
php_admin_value open_basedir   /home/user/
php_admin_value doc_root       /home/user/domain
php_admin_value upload_tmp_dir /home/user/domain/tmp


<?php
$tmpfname = tempnam("/tmp", "FOO");

$handle = fopen($tmpfname, "w");
fwrite($handle, "data");
fclose($handle);
?>

Expected result:
----------------
We expect to see the error like this:
"open_basedir restriction in effect. File /tmp/FOOxjEb8i) is not within the allowed path(s)"

Actual result:
--------------
Really the file was successfully created inside the system temp directory, outside the open_basedir path.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-06-06 15:44 UTC] unknown-php at masterhost dot ru
With the current CVS snapshot tempnam() creates files inside system temp directory anyway, but now fopen() already returns an error (open_basedir restriction in effect). So we have a lot of zero-size files in system temp directory...
  I think it's necessary to refuse the file creation and return an error at the tempnam() function call.
 [2005-06-08 08:45 UTC] unknown-php at masterhost dot ru
I think, it's a security problem
 [2005-06-13 11:03 UTC] tony2001@php.net
Can't reproduce.
I got the very expected error message instead.
 [2005-06-21 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Mon Mar 30 21:01:23 2020 UTC