csteipp created this task. csteipp added subscribers: JanZerebecki, Jonaskeutel, Tamslo, csteipp, Andreasburmeister, Liuxinyu970226, Aklapper, Wikibase-Quality-External-Validation. csteipp added projects: Wikibase-Quality, Wikidata, Wikibase-Quality-External-Validation.
TASK DESCRIPTION Extracting an archive into a directory that contains a symlink with the same name as a file in the archive will overwrite the symlink target, if the user extracting the archive has permissions to it. The current scheme is vulnerable to an attacker setting up a symlink in the temp directory of the production server, and when the user importing the data runs UpdateTable.php, they will overwrite a file that they have permissions to edit of the attacker's choosing. There really isn't a good reason to use an archive here-- just upload the two files separately. Additionally, issues like CVE-2015-3329 make me nervous to use phar in production without a really good reason. TASK DETAIL https://phabricator.wikimedia.org/T103438 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: csteipp Cc: Wikibase-Quality-External-Validation, Aklapper, Liuxinyu970226, Andreasburmeister, csteipp, Tamslo, Jonaskeutel, JanZerebecki, Wikidata-bugs, aude, Malyacko, P.Copp _______________________________________________ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
