Closed (fixed)
Project:
Drush
Version:
8.x-6.x-dev
Component:
Core Commands
Priority:
Minor
Category:
Bug report
Assigned:
Unassigned
Reporter:
Created:
28 May 2012 at 04:47 UTC
Updated:
11 Mar 2013 at 14:47 UTC
During the course of fixing a security issue (#671906: mysql credentials leak in drush sqlc), I had to create two temporary files with drush_save_data_to_temp_file(). It seems this is impossible in Drush 4, and is the reason why that issue isn't yet resolved.
I suspect the problem is related to the fact that the file descriptor in that function is static. Yet, when I comment out that declaration, it still fails to create the second file.
Attached is a patch that adds the test for this bug, a silly eval because #1133284: separate functional from unit tests was never committed.
| Comment | File | Size | Author |
|---|---|---|---|
| save_test.patch | 654 bytes | anarcat |
Comments
Comment #1
anarcat commentedbtw, this is not a bug in tmpfile() from php, as the following test works:
Comment #2
anarcat commentedEven more confusing and marvelous: when commenting out the "static" declaration, no file is created at *all*. Huge wtf.
Simpler test code also shows that the first tempfile is actually removed when the second tmp call is issued:
yields:
Comment #3
anarcat commentedSo I think the problem resides in the "magic" of tmpfile(), which "magically" removes the file descriptor when it is closed (or in our case, garbage collected). Lots of fun. The following patch works, for example:
...simply because we keep a reference to all the temporary files we create.
Drush 5 is not affected, because it doesn't use tmpfile() but tmpname(), which has the disadvantage of being vulnerable to a symlink attack, as we do not get an open file descriptor but a pathname which may be replaced during the very very short window during which we try to open the file. It is unclear to me whether we should use Drush 5's version of the above hack. Both alternatives seem problematic.
Anyways, with the above patch, the provided test passes and the whole test suite is in the green again.
Comment #4
greg.1.anderson commented#1133284: separate functional from unit tests was committed; any interest in revisiting this test, and re-rolling as described in #0?
Close if not interested -- I'm just doing some issue-queue cleaning.
Comment #5
anarcat commentedFrom my latest comments, it seemed that Drush 5 wasn't affected by this bug, so Drush 6 is likely unaffected too.
However, both are probably vulnerably to a symlink attack, so there's a security issue here, but that's a separate issue.
I am closing this one as fixed in 5.x, according to my latest comments.