From: ondrej
Operating system:
PHP version: 5.4.0RC7
Package: *Configuration Issues
Bug Type: Bug
Bug description:Security risk from find usage recommendation
Description:
------------
; NOTE: If you are using the subdirectory option for storing session files
[...]
; find /path/to/sessions -cmin +24 | xargs rm
because it is prone to '\n' attack. You can see the security
considerations of GNU find.
Much better would be:
find /path/to/sessions -cmin +24 -delete
or at least
find /path/to/sessions -cmin +24 -execdir rm "{}" \; (GNU find)
The most error-prone way is something we cooked up in Debian:
find /var/lib/php5/ -depth -mindepth 1 -maxdepth 1 -type f
-ignore_readdir_race -cmin +24 ! -execdir fuser -s {} 2>/dev/null \;
-delete
which depends on fuser at least version 22.15 (which has removed
fork() call which was able to swamp up whole system with zombies).
The fuser call checks if the session file is still in use, because the
script was deleting still active sessions opened 24+ mins ago.
Test script:
---------------
Race condition for -exec rm {} \;:
while true; do
mkdir /var/lib/php5/blah
touch /var/lib/php5/blah/passwd
rmdir /var/lib/php5/blah
ln -s /etc /var/lib/php5/blah
done
xargs attack:
ondrej@howl:/tmp/php_sess$ touch bar
ondrej@howl:/tmp/php_sess$ touch -t 201201010000 "$(echo -e 'foo\nbar')"
ondrej@howl:/tmp/php_sess$ ls -l
total 0
-rw-r--r-- 1 ondrej ondrej 0 Feb 9 01:26 bar
-rw-r--r-- 1 ondrej ondrej 0 Jan 1 00:00 foo?bar
ondrej@howl:/tmp/php_sess$ find /tmp/php_sess -mmin +24
/tmp/php_sess/foo?bar
ondrej@howl:/tmp/php_sess$ find /tmp/php_sess -mmin +24 | xargs rm
rm: cannot remove `/tmp/php_sess/foo': No such file or directory
ondrej@howl:/tmp/php_sess$ ls -l
total 0
-rw-r--r-- 1 ondrej ondrej 0 Jan 1 00:00 foo?bar
--
Edit bug report at https://bugs.php.net/bug.php?id=61020&edit=1
--
Try a snapshot (PHP 5.4):
https://bugs.php.net/fix.php?id=61020&r=trysnapshot54
Try a snapshot (PHP 5.3):
https://bugs.php.net/fix.php?id=61020&r=trysnapshot53
Try a snapshot (trunk):
https://bugs.php.net/fix.php?id=61020&r=trysnapshottrunk
Fixed in SVN:
https://bugs.php.net/fix.php?id=61020&r=fixed
Fixed in SVN and need be documented:
https://bugs.php.net/fix.php?id=61020&r=needdocs
Fixed in release:
https://bugs.php.net/fix.php?id=61020&r=alreadyfixed
Need backtrace:
https://bugs.php.net/fix.php?id=61020&r=needtrace
Need Reproduce Script:
https://bugs.php.net/fix.php?id=61020&r=needscript
Try newer version:
https://bugs.php.net/fix.php?id=61020&r=oldversion
Not developer issue:
https://bugs.php.net/fix.php?id=61020&r=support
Expected behavior:
https://bugs.php.net/fix.php?id=61020&r=notwrong
Not enough info:
https://bugs.php.net/fix.php?id=61020&r=notenoughinfo
Submitted twice:
https://bugs.php.net/fix.php?id=61020&r=submittedtwice
register_globals:
https://bugs.php.net/fix.php?id=61020&r=globals
PHP 4 support discontinued:
https://bugs.php.net/fix.php?id=61020&r=php4
Daylight Savings: https://bugs.php.net/fix.php?id=61020&r=dst
IIS Stability:
https://bugs.php.net/fix.php?id=61020&r=isapi
Install GNU Sed:
https://bugs.php.net/fix.php?id=61020&r=gnused
Floating point limitations:
https://bugs.php.net/fix.php?id=61020&r=float
No Zend Extensions:
https://bugs.php.net/fix.php?id=61020&r=nozend
MySQL Configuration Error:
https://bugs.php.net/fix.php?id=61020&r=mysqlcfg
