Package home | Report new bug | New search | Development Roadmap Status: Open | Feedback | All | Closed Since Version 1.10.15

Bug #18834 Bug #18056 regression on windows
Submitted: 2011-09-15 10:45 UTC
From: doconnor Assigned: avb
Status: Closed Package: PEAR (version 1.9.4)
PHP Version: 5.3.8 OS:
Roadmaps: 1.9.5    
Subscription  


 [2011-09-15 10:45 UTC] doconnor (Daniel O'Connor)
Description: ------------ The fixes for Bug #18056 appear to be too aggressive on a windows environment. I don't believe even the latest windows have anything like a symlink; so potentially checking the OS will fix this Test script: --------------- C:\pear\packages\Cache\trunk>pear upgrade pear Expected result: ---------------- No errors Actual result: -------------- C:\pear\packages\Cache\trunk>pear upgrade pear Error getting channel info from pear.php.net: SECURITY ERROR: Will not write to c:\tmp\cache\6d1f6e892384ae452db9a1bd59ee95f5rest.cache id as it is symlinked to c:\tmp\cache\6d1f6e892384ae452db9a1bd59ee95f5rest.cache id - Possible symlink att ack Nothing to upgrade C:\pear\packages\Cache\trunk>

Comments

 [2011-09-18 13:02 UTC] doconnor (Daniel O'Connor)
-Assigned To: +Assigned To: dufuz
 [2011-12-06 22:14 UTC] miau (Koji Ando)
Although PEAR_REST compares lstat['dev'] and fstat['dev'], those differ from each other on Windows even if it is a normal file. https://github.com/pear/pear-core/blob/e9b322b44e3389dde64b5dae9a3d1935a413a407/PEAR/REST.php#L286 Here is a testing code. ===== start of stat_test.php ===== <?php $tmpfile = tempnam('.', ''); $f = fopen($tmp, "w"); $fstat = fstat($f); fclose($f); $lstat = lstat($tmpfile); unlink $tmpfile; echo "lstat['dev']: $lstat['dev']\n"; echo "fstat['dev']: $fstat['dev']\n"; ===== end of stat_test.php ===== >:: on Windows 7 >php stat_test.php.txt lstat['dev']: 2 fstat['dev']: 0 $# on CentOS $ php stat_test.php lstat['dev']: 64768 fstat['dev']: 64768 How about using is_link() like PEAR_Downloader? https://github.com/pear/pear-core/blob/e9b322b44e3389dde64b5dae9a3d1935a413a407/PEAR/Downloader.php#L1711 It seems to be enough to check if the file is a symbolic link. >:: on Windows 7 >mklink link.txt target.txt symbolic link created for link.txt <<===>> target.txt >php -r "var_dump(is_link('target.txt'));" bool(false) >php -r "var_dump(is_link('link.txt'));" bool(true)
 [2012-05-02 13:36 UTC] joewp (Joe Parente)
As a quick fix, I commented out line 286 in REST.php: $cachefile_lstat['dev'] == $cachefile_fstat['dev'] && And that seemed to fix it on Windows 7. Quick and dirty, I know.
 [2014-03-03 00:46 UTC] avb (Alexey Borzov)
-Assigned To: dufuz +Assigned To: avb
Added a pull request: https://github.com/pear/pear-core/pull/30 This fixes another issue: if an actual symlink attack was tried, the file would be truncated BEFORE checking for a symlink due to 'wb' fopen() mode.
 [2014-03-04 20:02 UTC] doconnor (Daniel O'Connor)
-Status: Assigned +Status: Closed
This bug has been fixed in SVN. If this was a documentation problem, the fix will appear on pear.php.net by the end of next Sunday (CET). If this was a problem with the pear.php.net website, the change should be live shortly. Otherwise, the fix will appear in the package's next release. Thank you for the report and for helping us make PEAR better.
 [2014-05-30 02:20 UTC] cweiske (Christian Weiske)
-Roadmap Versions: +Roadmap Versions: 1.9.5
 [2014-05-31 17:30 UTC] cweiske (Christian Weiske)
Cherry-picked into stable for 1.9.5.