fix: resolve TOCTOU symlink vulnerability in FileHandler gc and destroy#10298
fix: resolve TOCTOU symlink vulnerability in FileHandler gc and destroy#10298gr8man wants to merge 11 commits into
Conversation
gr8man
force-pushed
the
fix/filehandler-gc-toctou
branch
from
ea56cf1 to
b078a2f
Compare
…Object and add null fallback (codeigniter4#10257)
…r4#10291) Updates the requirements on [boundwize/structarmed](https://github.com/boundwize/structarmed) to permit the latest version. Updates `boundwize/structarmed` to 0.12.5 - [Release notes](https://github.com/boundwize/structarmed/releases) - [Commits](boundwize/structarmed@0.12.0...0.12.5) --- updated-dependencies: - dependency-name: boundwize/structarmed dependency-version: 0.12.5 dependency-type: direct:development dependency-group: composer-dependencies ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…r4#10292) Updates the requirements on [boundwize/structarmed](https://github.com/boundwize/structarmed) to permit the latest version. Updates `boundwize/structarmed` to 0.12.6 - [Release notes](https://github.com/boundwize/structarmed/releases) - [Commits](boundwize/structarmed@0.12.5...0.12.6) --- updated-dependencies: - dependency-name: boundwize/structarmed dependency-version: 0.12.6 dependency-type: direct:development dependency-group: composer-dependencies ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [shivammathur/setup-php](https://github.com/shivammathur/setup-php) in `/` from 2.37.1 to 2.37.2. Updates `shivammathur/setup-php` from 2.37.1 to 2.37.2 - [Release notes](https://github.com/shivammathur/setup-php/releases) - [Commits](shivammathur/setup-php@7c071df...f3e473d) --- updated-dependencies: - dependency-name: shivammathur/setup-php dependency-version: 2.37.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github_actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
gr8man
force-pushed
the
fix/filehandler-gc-toctou
branch
from
24bc734 to
92cbb2d
Compare
github-actions
Bot
added
github_actions
gr8man
force-pushed
the
fix/filehandler-gc-toctou
branch
from
6670366 to
92cbb2d
Compare
github-actions
Bot
added
the
github_actions
|
Rebase went wrong, and PR has commits that were already merged. |
michalsn
left a comment
michalsn
left a comment
There was a problem hiding this comment.
This PR fixes a Time-of-Check to Time-of-Use (TOCTOU) vulnerability within the FileHandler session driver.
I don't think this is really a TOCTOU fix. The patched code still performs several non-atomic check-then-use operations: lstat(), is_link(), is_file(), then @unlink(). The symlink-following behavior is from filemtime(), not from unlink(): unlink() deletes the symlink entry, not the file it points to.
In a shared hosting environment with a predictable or shared session save path (like
/tmp)...
The described scenario depends on using a shared session save path such as /tmp, but the user guide explicitly warns not to use publicly readable or shared directories for FileHandler sessions and says only our app should have access to the savePath. The default savePath is WRITEPATH . 'session'.
an attacker could potentially replace their session file with a symlink pointing to another system file.
If we assume symlink planting in the session save path is something we want to protect against, then read() and write() also need to be considered, because they use fopen(), touch(), and ftruncate() on the same path and still follow symlinks.
It also resolves false-positives raised by strict security scanners regarding the lack of
is_linkchecks beforeunlink.
I don't think scanner false positives alone are enough reason to change runtime behavior here.
Overall, IMO these changes are not necessary.
| $stat = @lstat($filePath); | ||
|
|
||
| if ($stat === false || is_link($filePath) || ! is_file($filePath) || $stat['mtime'] > $ts) { |
There was a problem hiding this comment.
Once is_link() filters links out, filemtime() on a non-link equals the stat['mtime'] - the whole lstat() call is unnecessary.
2 participants
Description
This PR fixes a Time-of-Check to Time-of-Use (TOCTOU) vulnerability within the
FileHandlersession driver.Previously,
gc()anddestroy()relied onis_file()andfilemtime(), which automatically follow symbolic links. In a shared hosting environment with a predictable or shared session save path (like/tmp), an attacker could potentially replace their session file with a symlink pointing to another system file. By racing the garbage collector, they could use theunlink()operation as an oracle to infer the modification time (mtime) of arbitrary files on the system, depending on whether their symlink was deleted or not. It also resolves false-positives raised by strict security scanners regarding the lack ofis_linkchecks beforeunlink.Changes:
lstat()inFileHandler::gc()to retrieve file stats without following symbolic links.is_link()checks before any@unlink()calls in bothgc()anddestroy()to ensure the handler explicitly ignores symlinks.FileHandlerTest.phpto thoroughly verify that symbolic links are appropriately ignored by the garbage collector and the destruction routine.Checklist:
tests/system/Session/Handlers/FileHandlerTest.php).