[SUCS Devel] [Git][sucssite/sucs-site][sucs-site] 3 commits: stop .forward file being a symlink

Andrew Price welshbyte at sucs.org
Sun Apr 2 06:49:53 BST 2017

On 01/04/17 22:05, Imran Hussain wrote:
> On 01.04.2017 19:33, Andrew Price wrote:
>> - What if ~/.forward is created to be bigger than the available
>> virtual memory (sparse or actual size)?
> Php is set to use at most 128M. If someone has a 129M .forward file then
> all that'll happen is that php will crash out with a oom exception.

OK not catastrophic then, just a bug :)

>> - What if ~/.forward is replaced by a symlink between the is_link()
>> call and the file() call?
> What a attack!


It's pretty straightforward, something brutish like

   while (1) {
           rename(".forward", ".forward.backup");
           symlink("somefile", ".forward");
           rename(".forward.backup", ".forward");

would probably get "somefile" read about 10% of the time. Opening with 
O_NOFOLLOW and then doing all subsequent operations on the file 
descriptor is a good way to fix it but I doubt there's an easy way to 
get PHP to use that flag.


More information about the Devel mailing list