Page MenuHomePhabricator
Create Task
Maniphest T103438

Ex:WikibaseQualityExternalValidation - don't use .tar / phar to transfer files to production
Closed, ResolvedPublic
Actions

Description

Extracting an archive into a directory that contains a symlink with the same name as a file in the archive will overwrite the symlink target, if the user extracting the archive has permissions to it. The current scheme is vulnerable to an attacker setting up a symlink in the temp directory of the production server, and when the user importing the data runs UpdateTable.php, they will overwrite a file that they have permissions to edit of the attacker's choosing.

There really isn't a good reason to use an archive here-- just upload the two files separately.

Additionally, issues like CVE-2015-3329 make me nervous to use phar in production without a really good reason.

Related Objects
Search...

Event Timeline

csteipp created this task.Jun 22 2015, 11:03 PM
csteipp raised the priority of this task from to Needs Triage.
csteipp updated the task description. (Show Details)
csteipp added projects: Wikibase-Quality, Wikidata, Wikibase-Quality-External-Validation.
csteipp added subscribers: JanZerebecki, Jonaskeutel, Tamslo and 5 others.
soeren.oldag claimed this task.Jun 23 2015, 9:43 AM
soeren.oldag triaged this task as High priority.
soeren.oldag set Security to None.
soeren.oldag moved this task from Backlog to DOING on the Wikibase-Quality board.
gerritbot subscribed.Jun 23 2015, 12:47 PM

Change 220128 had a related patch set uploaded (by Soeren.oldag):
Multiple CSV files are now used to import external data instead of a single TAR file (T103438)

https://gerrit.wikimedia.org/r/220128

gerritbot added a project: Patch-For-Review.Jun 23 2015, 12:47 PM

Change 220130 had a related patch set uploaded (by Soeren.oldag):
Multiple CSV files are now used to import external data instead of a single TAR file (T103438)

https://gerrit.wikimedia.org/r/220130

gerritbot added a comment.Jun 23 2015, 12:59 PM

Change 220128 merged by jenkins-bot:
Multiple CSV files are now used to import external data instead of a single TAR file (T103438)

https://gerrit.wikimedia.org/r/220128

soeren.oldag closed this task as Resolved.Jun 23 2015, 1:00 PM
soeren.oldag moved this task from DOING to DONE on the Wikibase-Quality board.
gerritbot added a comment.Jun 23 2015, 1:05 PM

Change 220130 merged by Dominic.sauer:
Multiple CSV files are now used to import external data instead of a single TAR file (T103438)

https://gerrit.wikimedia.org/r/220130

Liuxinyu970226 unsubscribed.Jun 23 2015, 1:35 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits