| Package home | Report new bug | New search | Development Roadmap | Status: Open | Feedback | All | Closed Since Version 1.10.15 |
| Bug #18834 | Bug #18056 regression on windows | ||
|---|---|---|---|
| Submitted: | 2011-09-15 10:45 UTC | ||
| From: | doconnor | Assigned: | avb |
| Status: | Closed | Package: | PEAR (version 1.9.4) |
| PHP Version: | 5.3.8 | OS: | |
| Roadmaps: | 1.9.5 | ||
[2011-09-15 10:45 UTC] doconnor
(Daniel O'Connor)
Description:
------------
The fixes for Bug #18056 appear to be too aggressive on a
windows environment.
I don't believe even the latest windows have anything like a
symlink; so potentially checking the OS will fix this
Test script:
---------------
C:\pear\packages\Cache\trunk>pear upgrade pear
Expected result:
----------------
No errors
Actual result:
--------------
C:\pear\packages\Cache\trunk>pear upgrade pear
Error getting channel info from pear.php.net: SECURITY
ERROR: Will not write to
c:\tmp\cache\6d1f6e892384ae452db9a1bd59ee95f5rest.cache
id as it is symlinked to
c:\tmp\cache\6d1f6e892384ae452db9a1bd59ee95f5rest.cache
id - Possible symlink att
ack
Nothing to upgrade
C:\pear\packages\Cache\trunk>
Comments
[2011-12-06 22:14 UTC] miau
(Koji Ando)
Although PEAR_REST compares lstat['dev'] and fstat['dev'], those differ
from each other on Windows even if it is a normal file.
https://github.com/pear/pear-core/blob/e9b322b44e3389dde64b5dae9a3d1935a413a407/PEAR/REST.php#L286
Here is a testing code.
===== start of stat_test.php =====
<?php
$tmpfile = tempnam('.', '');
$f = fopen($tmp, "w");
$fstat = fstat($f);
fclose($f);
$lstat = lstat($tmpfile);
unlink $tmpfile;
echo "lstat['dev']: $lstat['dev']\n";
echo "fstat['dev']: $fstat['dev']\n";
===== end of stat_test.php =====
>:: on Windows 7
>php stat_test.php.txt
lstat['dev']: 2
fstat['dev']: 0
$# on CentOS
$ php stat_test.php
lstat['dev']: 64768
fstat['dev']: 64768
How about using is_link() like PEAR_Downloader?
https://github.com/pear/pear-core/blob/e9b322b44e3389dde64b5dae9a3d1935a413a407/PEAR/Downloader.php#L1711
It seems to be enough to check if the file is a symbolic link.
>:: on Windows 7
>mklink link.txt target.txt
symbolic link created for link.txt <<===>> target.txt
>php -r "var_dump(is_link('target.txt'));"
bool(false)
>php -r "var_dump(is_link('link.txt'));"
bool(true)
[2012-05-02 13:36 UTC] joewp
(Joe Parente)
As a quick fix, I commented out line 286 in REST.php:
$cachefile_lstat['dev'] == $cachefile_fstat['dev'] &&
And that seemed to fix it on Windows 7. Quick and dirty, I know.
[2014-03-03 00:46 UTC] avb
(Alexey Borzov)
-Assigned To: dufuz
+Assigned To: avb
Added a pull request: https://github.com/pear/pear-core/pull/30
This fixes another issue: if an actual symlink attack was tried, the file would be truncated BEFORE checking for a symlink due to 'wb' fopen() mode. [2014-03-04 20:02 UTC] doconnor
(Daniel O'Connor)
-Status: Assigned
+Status: Closed
This bug has been fixed in SVN.
If this was a documentation problem, the fix will appear on pear.php.net by the end of next Sunday (CET).
If this was a problem with the pear.php.net website, the change should be live shortly.
Otherwise, the fix will appear in the package's next release.
Thank you for the report and for helping us make PEAR better.