Hi Mathieu, On Sat, Nov 07, 2015 at 03:53:07PM +0100, Mathieu Parent wrote: > 2015-11-07 15:05 GMT+01:00 Salvatore Bonaccorso <car...@debian.org>: > > Hi Mathieu, > > > > On Sat, Nov 07, 2015 at 01:27:07PM +0000, Debian Bug Tracking System wrote: > >> Version: 5.3.6-1 > >> > >> Hello, > >> > >> According to https://pear.php.net/bugs/bug.php?id=18056, it's fixed since > >> 1.9.2 > > > > is this true? I just did a quick check (not a full analysis) and it > > still seems to use /tmp/pear. > > Yes, it does. But it checks for symlinks and truncate the file. > > This even introduced a regression on Windows: > https://pear.php.net/bugs/bug.php?id=18834 > > > Can you check if the upstream bug report might be pointing to the > > wrong fixing version? > > This is: > https://github.com/pear/pear-core/commit/38de9355e3a9c66445a6d39d2c9a20f73e986d9a > (which is in 1.9.2) > > And further improvement in: > https://github.com/pear/pear-core/commit/cd31da7d8b5e684f177a8fe700339f7eb2420876 > (which is in 1.9.3) > > > (I have reopened the bugs for now) > > Can we close it then?
Well, IMHO no, that is not correct. The issues are still there even you cannot globber anymore someone else files. A can block another user this way. As user foo do: foo@sid:~$ pear download HTML_Common2 downloading HTML_Common2-2.1.1.tgz ... Starting to download HTML_Common2-2.1.1.tgz (8,604 bytes) .....done: 8,604 bytes File /home/foo/HTML_Common2-2.1.1.tgz downloaded then replace the cache files with symlinks (e.g. to files in home of user bar, since he want's to try to globber these files). bar now is unable to pear download HTML_Common2: bar@sid:~$ pear download HTML_Common2 Notice: unserialize(): Error at offset 0 of 220 bytes in PEAR/REST.php on line 203 PHP Notice: unserialize(): Error at offset 0 of 220 bytes in /usr/share/php/PEAR/REST.php on line 203 No releases available for package "pear.php.net/HTML_Common2" download failed bar@sid:~$ ls bar@sid:~$ or as root root@sid:~# pear download HTML_Common2 Notice: unserialize(): Error at offset 0 of 220 bytes in PEAR/REST.php on line 203 PHP Notice: unserialize(): Error at offset 0 of 220 bytes in /usr/share/php/PEAR/REST.php on line 203 No releases available for package "pear.php.net/HTML_Common2" download failed root@sid:~# pear install HTML_Common2 Notice: unserialize(): Error at offset 0 of 220 bytes in PEAR/REST.php on line 203 PHP Notice: unserialize(): Error at offset 0 of 220 bytes in /usr/share/php/PEAR/REST.php on line 203 No releases available for package "pear.php.net/HTML_Common2" install failed root@sid:~# So again, I don't think the issues with unsafe use of /tmp are fixed correctly and the bugs should not be closed. PHP maintainers, what do you think (Ondřej cc'ed)? Regards, Salvatore
