Page MenuHomePhabricator

Ex:WikibaseQualityExternalValidation - don't use .tar / phar to transfer files to production
Closed, ResolvedPublic

Description

Extracting an archive into a directory that contains a symlink with the same name as a file in the archive will overwrite the symlink target, if the user extracting the archive has permissions to it. The current scheme is vulnerable to an attacker setting up a symlink in the temp directory of the production server, and when the user importing the data runs UpdateTable.php, they will overwrite a file that they have permissions to edit of the attacker's choosing.

There really isn't a good reason to use an archive here-- just upload the two files separately.

Additionally, issues like CVE-2015-3329 make me nervous to use phar in production without a really good reason.

Event Timeline

csteipp raised the priority of this task from to Needs Triage.
csteipp updated the task description. (Show Details)
soeren.oldag triaged this task as High priority.
soeren.oldag set Security to None.
soeren.oldag moved this task from Backlog to DOING on the Wikibase-Quality board.

Change 220128 had a related patch set uploaded (by Soeren.oldag):
Multiple CSV files are now used to import external data instead of a single TAR file (T103438)

https://gerrit.wikimedia.org/r/220128

Change 220130 had a related patch set uploaded (by Soeren.oldag):
Multiple CSV files are now used to import external data instead of a single TAR file (T103438)

https://gerrit.wikimedia.org/r/220130

Change 220128 merged by jenkins-bot:
Multiple CSV files are now used to import external data instead of a single TAR file (T103438)

https://gerrit.wikimedia.org/r/220128

soeren.oldag moved this task from DOING to DONE on the Wikibase-Quality board.

Change 220130 merged by Dominic.sauer:
Multiple CSV files are now used to import external data instead of a single TAR file (T103438)

https://gerrit.wikimedia.org/r/220130