From: ondrej Operating system: PHP version: 5.4.0RC7 Package: *Configuration Issues Bug Type: Bug Bug description:Security risk from find usage recommendation
Description: ------------ ; NOTE: If you are using the subdirectory option for storing session files [...] ; find /path/to/sessions -cmin +24 | xargs rm because it is prone to '\n' attack. You can see the security considerations of GNU find. Much better would be: find /path/to/sessions -cmin +24 -delete or at least find /path/to/sessions -cmin +24 -execdir rm "{}" \; (GNU find) The most error-prone way is something we cooked up in Debian: find /var/lib/php5/ -depth -mindepth 1 -maxdepth 1 -type f -ignore_readdir_race -cmin +24 ! -execdir fuser -s {} 2>/dev/null \; -delete which depends on fuser at least version 22.15 (which has removed fork() call which was able to swamp up whole system with zombies). The fuser call checks if the session file is still in use, because the script was deleting still active sessions opened 24+ mins ago. Test script: --------------- Race condition for -exec rm {} \;: while true; do mkdir /var/lib/php5/blah touch /var/lib/php5/blah/passwd rmdir /var/lib/php5/blah ln -s /etc /var/lib/php5/blah done xargs attack: ondrej@howl:/tmp/php_sess$ touch bar ondrej@howl:/tmp/php_sess$ touch -t 201201010000 "$(echo -e 'foo\nbar')" ondrej@howl:/tmp/php_sess$ ls -l total 0 -rw-r--r-- 1 ondrej ondrej 0 Feb 9 01:26 bar -rw-r--r-- 1 ondrej ondrej 0 Jan 1 00:00 foo?bar ondrej@howl:/tmp/php_sess$ find /tmp/php_sess -mmin +24 /tmp/php_sess/foo?bar ondrej@howl:/tmp/php_sess$ find /tmp/php_sess -mmin +24 | xargs rm rm: cannot remove `/tmp/php_sess/foo': No such file or directory ondrej@howl:/tmp/php_sess$ ls -l total 0 -rw-r--r-- 1 ondrej ondrej 0 Jan 1 00:00 foo?bar -- Edit bug report at https://bugs.php.net/bug.php?id=61020&edit=1 -- Try a snapshot (PHP 5.4): https://bugs.php.net/fix.php?id=61020&r=trysnapshot54 Try a snapshot (PHP 5.3): https://bugs.php.net/fix.php?id=61020&r=trysnapshot53 Try a snapshot (trunk): https://bugs.php.net/fix.php?id=61020&r=trysnapshottrunk Fixed in SVN: https://bugs.php.net/fix.php?id=61020&r=fixed Fixed in SVN and need be documented: https://bugs.php.net/fix.php?id=61020&r=needdocs Fixed in release: https://bugs.php.net/fix.php?id=61020&r=alreadyfixed Need backtrace: https://bugs.php.net/fix.php?id=61020&r=needtrace Need Reproduce Script: https://bugs.php.net/fix.php?id=61020&r=needscript Try newer version: https://bugs.php.net/fix.php?id=61020&r=oldversion Not developer issue: https://bugs.php.net/fix.php?id=61020&r=support Expected behavior: https://bugs.php.net/fix.php?id=61020&r=notwrong Not enough info: https://bugs.php.net/fix.php?id=61020&r=notenoughinfo Submitted twice: https://bugs.php.net/fix.php?id=61020&r=submittedtwice register_globals: https://bugs.php.net/fix.php?id=61020&r=globals PHP 4 support discontinued: https://bugs.php.net/fix.php?id=61020&r=php4 Daylight Savings: https://bugs.php.net/fix.php?id=61020&r=dst IIS Stability: https://bugs.php.net/fix.php?id=61020&r=isapi Install GNU Sed: https://bugs.php.net/fix.php?id=61020&r=gnused Floating point limitations: https://bugs.php.net/fix.php?id=61020&r=float No Zend Extensions: https://bugs.php.net/fix.php?id=61020&r=nozend MySQL Configuration Error: https://bugs.php.net/fix.php?id=61020&r=mysqlcfg