Page MenuHomePhabricator

Ex:WikibaseQualityExternalValidation - don't use .tar / phar to transfer files to production
Closed, ResolvedPublic

Description

Extracting an archive into a directory that contains a symlink with the same name as a file in the archive will overwrite the symlink target, if the user extracting the archive has permissions to it. The current scheme is vulnerable to an attacker setting up a symlink in the temp directory of the production server, and when the user importing the data runs UpdateTable.php, they will overwrite a file that they have permissions to edit of the attacker's choosing.

There really isn't a good reason to use an archive here-- just upload the two files separately.

Additionally, issues like CVE-2015-3329 make me nervous to use phar in production without a really good reason.

Event Timeline

csteipp raised the priority of this task from to Needs Triage.
csteipp updated the task description. (Show Details)
csteipp added subscribers: JanZerebecki, Jonaskeutel, Tamslo and 5 others.
soeren.oldag triaged this task as High priority.
soeren.oldag set Security to None.
soeren.oldag moved this task from Backlog to DOING on the Wikibase-Quality board.

Change 220128 had a related patch set uploaded (by Soeren.oldag):
Multiple CSV files are now used to import external data instead of a single TAR file (T103438)

https://gerrit.wikimedia.org/r/220128

Change 220130 had a related patch set uploaded (by Soeren.oldag):
Multiple CSV files are now used to import external data instead of a single TAR file (T103438)

https://gerrit.wikimedia.org/r/220130

Change 220128 merged by jenkins-bot:
Multiple CSV files are now used to import external data instead of a single TAR file (T103438)

https://gerrit.wikimedia.org/r/220128

soeren.oldag moved this task from DOING to DONE on the Wikibase-Quality board.

Change 220130 merged by Dominic.sauer:
Multiple CSV files are now used to import external data instead of a single TAR file (T103438)

https://gerrit.wikimedia.org/r/220130