#33254 [NEW]: tempnam security problem?

Mon, 06 Jun 2005 01:49:06 -0700 

From:             unknown-php at masterhost dot ru
Operating system: FreeBSD
PHP version:      4.3.11
PHP Bug Type:     Safe Mode/open_basedir
Bug description:  tempnam security problem?

Description:
------------
  We have a mass virtual hosting server. Regardless of the open_basedir
and other restriction, we can't restrict temp file creation to directory
onside the user's home dir. Therefore user can create huge amount of files
and overfull the file system, and we can't supervise it and even can't
determine which user has created these files.
  It seems to be a bug or omission that tempnam can create files outside
the open_basedir and there no another restriction for it. I think it
should be any restriction to prevent situations like this.

Reproduce code:
---------------
php_admin_value open_basedir   /home/user/
php_admin_value doc_root       /home/user/domain
php_admin_value upload_tmp_dir /home/user/domain/tmp


<?php
$tmpfname = tempnam("/tmp", "FOO");

$handle = fopen($tmpfname, "w");
fwrite($handle, "data");
fclose($handle);
?>

Expected result:
----------------
We expect to see the error like this:
"open_basedir restriction in effect. File /tmp/FOOxjEb8i) is not within
the allowed path(s)"

Actual result:
--------------
Really the file was successfully created inside the system temp directory,
outside the open_basedir path.

-- 
Edit bug report at http://bugs.php.net/?id=33254&edit=1
-- 
Try a CVS snapshot (php4):   http://bugs.php.net/fix.php?id=33254&r=trysnapshot4
Try a CVS snapshot (php5.0): 
http://bugs.php.net/fix.php?id=33254&r=trysnapshot50
Try a CVS snapshot (php5.1): 
http://bugs.php.net/fix.php?id=33254&r=trysnapshot51
Fixed in CVS:                http://bugs.php.net/fix.php?id=33254&r=fixedcvs
Fixed in release:            http://bugs.php.net/fix.php?id=33254&r=alreadyfixed
Need backtrace:              http://bugs.php.net/fix.php?id=33254&r=needtrace
Need Reproduce Script:       http://bugs.php.net/fix.php?id=33254&r=needscript
Try newer version:           http://bugs.php.net/fix.php?id=33254&r=oldversion
Not developer issue:         http://bugs.php.net/fix.php?id=33254&r=support
Expected behavior:           http://bugs.php.net/fix.php?id=33254&r=notwrong
Not enough info:             
http://bugs.php.net/fix.php?id=33254&r=notenoughinfo
Submitted twice:             
http://bugs.php.net/fix.php?id=33254&r=submittedtwice
register_globals:            http://bugs.php.net/fix.php?id=33254&r=globals
PHP 3 support discontinued:  http://bugs.php.net/fix.php?id=33254&r=php3
Daylight Savings:            http://bugs.php.net/fix.php?id=33254&r=dst
IIS Stability:               http://bugs.php.net/fix.php?id=33254&r=isapi
Install GNU Sed:             http://bugs.php.net/fix.php?id=33254&r=gnused
Floating point limitations:  http://bugs.php.net/fix.php?id=33254&r=float
No Zend Extensions:          http://bugs.php.net/fix.php?id=33254&r=nozend
MySQL Configuration Error:   http://bugs.php.net/fix.php?id=33254&r=mysqlcfg

Reply via email to