Berend de Boer
May 17, 2014, 12:49:06 AM5/17/14
to Eiffel Web Framework
Hi All,
It seems that save_uploaded_file allows attackers to overwrite files
uploaded by others. I.e. there is a delay between exists file and
creating the file. Code like this is extremely unsafe. I'm guessing
this is perhaps an attempt at portability, but I strongly suggest we
use the OS supplied tmpfile facilities.
Obviously it's easy to replace, which I will do in my code. But I use
eposix (as that gives me access to OS facilities), so not a patch I
can submit, but at least this function should come with a very big
warning IMO.
--
All the best,
Berend de Boer
It seems that save_uploaded_file allows attackers to overwrite files
uploaded by others. I.e. there is a delay between exists file and
creating the file. Code like this is extremely unsafe. I'm guessing
this is perhaps an attempt at portability, but I strongly suggest we
use the OS supplied tmpfile facilities.
Obviously it's easy to replace, which I will do in my code. But I use
eposix (as that gives me access to OS facilities), so not a patch I
can submit, but at least this function should come with a very big
warning IMO.
--
All the best,
Berend de Boer
Jocelyn Fiat
May 30, 2014, 9:40:52 AM5/30/14
to eiffel-web...@googlegroups.com
Hi Berend,
Indeed this code has to be improved.
I am wondering if tmpfile() is available for all platform, and is it safe in concurrent application?
I am sure it is safer than current code in EWF.
-- Jocelyn
Indeed this code has to be improved.
I am wondering if tmpfile() is available for all platform, and is it safe in concurrent application?
I am sure it is safer than current code in EWF.
-- Jocelyn
Berend de Boer
May 30, 2014, 6:27:24 PM5/30/14
to eiffel-web...@googlegroups.com
>>>>> "Jocelyn" == Jocelyn Fiat <jf...@eiffel.com> writes:
Jocelyn> Indeed this code has to be improved. I am wondering if
Jocelyn> tmpfile() is available for all platform.
For a draft implementation, see EPX_WSF_REQUEST:
https://github.com/berenddeboer/eposix/blob/f7f59c70151056bbbdbae05d24d4df9f53cfc8b3/src/ewf/epx_wsf_request.e
I'm using a SUS_ class (SUS_TEMPORARY_FILE), meaning it's based on the
Standard Unix Specification. The routine it uses is mkstemp().
I have an STDC_TEMPORARY_FILE class as well, which uses tmpfile(), an
STDC_ class is available on all platforms with a C compiler, so the
answer is yes, available on all platforms.
Jocelyn> and is it safe in concurrent application?
It is.
Jocelyn> Indeed this code has to be improved. I am wondering if
Jocelyn> tmpfile() is available for all platform.
For a draft implementation, see EPX_WSF_REQUEST:
https://github.com/berenddeboer/eposix/blob/f7f59c70151056bbbdbae05d24d4df9f53cfc8b3/src/ewf/epx_wsf_request.e
I'm using a SUS_ class (SUS_TEMPORARY_FILE), meaning it's based on the
Standard Unix Specification. The routine it uses is mkstemp().
I have an STDC_TEMPORARY_FILE class as well, which uses tmpfile(), an
STDC_ class is available on all platforms with a C compiler, so the
answer is yes, available on all platforms.
Jocelyn> and is it safe in concurrent application?
It is.
Jocelyn Fiat
Jun 11, 2014, 11:02:38 AM6/11/14
to eiffel-web...@googlegroups.com
See related issue: https://github.com/EiffelWebFramework/EWF/issues/132
And a patch to address this issue: https://github.com/EiffelWebFramework/EWF/pull/133
This is waiting for comment, and eventually approval.
-- Jocelyn
Jocelyn Fiat
Jul 2, 2014, 1:18:07 PM7/2/14
to eiffel-web...@googlegroups.com
This issue had been addressed.
Don't hesitate to comment on the solution committed.
Regards,
-- Jocelyn
Reply all
Reply to author
Forward
0 new messages