Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack

[Helgi Þormar Þorbjörnsson <helgith () gmail com>]

On 1 Mar 2011, at 12:19, Dan Rosenberg wrote:

> > Not sure it is fixable, or maybe using a lock on the symbolic link
> > while fetching its target (to be tested to be sure that such locks
> > cannot be overridden from shell).
>
> The easiest way is to just open the target with the O_NOFOLLOW flag to
> avoid following symlinks and abort on failure.  If you need to support
> systems that don't have this flag, then perhaps you could consider
> using an application-specific temporary directory instead of operating
> in the world-writable /tmp.

The PEAR installer does use /tmp (and whatever the Windows equivalent is) by default unless the user opts into a local 
installation or does indeed change the configuration to use other temp/download/cache directories so users can guard 
themselves with a good setup.

A flag like that would be handy but doesn't exist (yet) in PHP. 

I moved over to using the O_CREAT|O_EXCL equivalent in PHP when creating new files and lstat + fopen + fstat and 
comparing mode/ino/dev before writing to an existing file for the cache. I could add an nlink check to that as well.
The current version I've been playing around with is located at https://gist.github.com/848371 - It is missing the 
nlink part but it should be able to deal with TOCTOU problems. That code snippet hasn't been committed as I consider it 
work-in-progress still.

Any comments / suggestions are welcome, I did write that one quite late last night :-)

- Helgi