php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #33254 tempnam security problem?
Submitted: 2005-06-06 10:14 UTC Modified: 2005-06-21 01:00 UTC
Votes:3
Avg. Score:4.3 ± 0.9
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:1 (50.0%)
From: unknown-php at masterhost dot ru Assigned:
Status: No Feedback Package: Safe Mode/open_basedir
PHP Version: 4.3.11 OS: FreeBSD
Private report: No CVE-ID: None
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
24 - 10 = ?
Subscribe to this entry?

 
 [2005-06-06 10:14 UTC] unknown-php at masterhost dot ru
Description:
------------
  We have a mass virtual hosting server. Regardless of the open_basedir and other restriction, we can't restrict temp file creation to directory onside the user's home dir. Therefore user can create huge amount of files and overfull the file system, and we can't supervise it and even can't determine which user has created these files.
  It seems to be a bug or omission that tempnam can create files outside the open_basedir and there no another restriction for it. I think it should be any restriction to prevent situations like this.

Reproduce code:
---------------
php_admin_value open_basedir   /home/user/
php_admin_value doc_root       /home/user/domain
php_admin_value upload_tmp_dir /home/user/domain/tmp


<?php
$tmpfname = tempnam("/tmp", "FOO");

$handle = fopen($tmpfname, "w");
fwrite($handle, "data");
fclose($handle);
?>

Expected result:
----------------
We expect to see the error like this:
"open_basedir restriction in effect. File /tmp/FOOxjEb8i) is not within the allowed path(s)"

Actual result:
--------------
Really the file was successfully created inside the system temp directory, outside the open_basedir path.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-06-06 15:44 UTC] unknown-php at masterhost dot ru
With the current CVS snapshot tempnam() creates files inside system temp directory anyway, but now fopen() already returns an error (open_basedir restriction in effect). So we have a lot of zero-size files in system temp directory...
  I think it's necessary to refuse the file creation and return an error at the tempnam() function call.
 [2005-06-08 08:45 UTC] unknown-php at masterhost dot ru
I think, it's a security problem
 [2005-06-13 11:03 UTC] tony2001@php.net
Can't reproduce.
I got the very expected error message instead.
 [2005-06-21 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Dec 13 21:01:27 2024 UTC