Improve randomness of uploaded file names and files created by tempnam()

arnaud-lb · arnaud-lb · commit d169bc2be77d · 2024-05-30T12:38:41.000+02:00
diff --git a/ext/standard/tests/file/tempnam_variation9.phpt b/ext/standard/tests/file/tempnam_variation9.phpt
@@ -57,17 +57,17 @@ if (file_exists($file_path)) {
 --EXPECTF--
 *** Testing tempnam() maximum prefix size ***
 -- Iteration 0 --
-File name is => begin_%rx{7}%r_end%r.{6}%r
-File name length is => 23
+File name is => begin_%rx{7}%r_end%r.{38}%r
+File name length is => 55
 -- Iteration 1 --
-File name is => begin_%rx{53}%r_end%r.{6}%r
-File name length is => 69
+File name is => begin_%rx{53}%r_end%r.{38}%r
+File name length is => 101
 -- Iteration 2 --
-File name is => begin_%rx{54}%r_en%r.{6}%r
-File name length is => 69
+File name is => begin_%rx{54}%r_en%r.{38}%r
+File name length is => 101
 -- Iteration 3 --
-File name is => begin_%rx{55}%r_e%r.{6}%r
-File name length is => 69
+File name is => begin_%rx{55}%r_e%r.{38}%r
+File name length is => 101
 -- Iteration 4 --
-File name is => begin_%rx{57}%r%r.{6}%r
-File name length is => 69
+File name is => begin_%rx{57}%r%r.{38}%r
+File name length is => 101
diff --git a/main/php_open_temporary_file.c b/main/php_open_temporary_file.c
@@ -15,7 +15,9 @@
  */
 
 #include "php.h"
+#include "zend_long.h"
 #include "php_open_temporary_file.h"
+#include "ext/random/php_random.h"
 
 #include <errno.h>
 #include <sys/types.h>
@@ -89,11 +91,13 @@ static int php_do_open_temporary_file(const char *path, const char *pfx, zend_st
 #ifdef PHP_WIN32
 	char *opened_path = NULL;
 	size_t opened_path_len;
-	wchar_t *cwdw, *pfxw, pathw[MAXPATHLEN];
+	wchar_t *cwdw, *random_prefix_w, pathw[MAXPATHLEN];
 #else
 	char opened_path[MAXPATHLEN];
 	char *trailing_slash;
 #endif
+	uint64_t random[2];
+	char *random_prefix;
 	char cwd[MAXPATHLEN];
 	cwd_state new_state;
 	int fd = -1;
@@ -128,34 +132,45 @@ static int php_do_open_temporary_file(const char *path, const char *pfx, zend_st
 		return -1;
 	}
 
+	/* Extend the prefix to increase randomness */
+	if (php_random_bytes_silent(&random, sizeof(random)) == FAILURE) {
+		random[0] = php_random_generate_fallback_seed();
+		random[1] = php_random_generate_fallback_seed();
+	}
+
+	spprintf(&random_prefix, 0, "%s%016" PRIx64 "%016" PRIx64, pfx, random[0], random[1]);
+
 #ifndef PHP_WIN32
 	if (IS_SLASH(new_state.cwd[new_state.cwd_length - 1])) {
 		trailing_slash = "";
 	} else {
 		trailing_slash = "/";
 	}
 
-	if (snprintf(opened_path, MAXPATHLEN, "%s%s%sXXXXXX", new_state.cwd, trailing_slash, pfx) >= MAXPATHLEN) {
+	if (snprintf(opened_path, MAXPATHLEN, "%s%s%sXXXXXX", new_state.cwd, trailing_slash, random_prefix) >= MAXPATHLEN) {
+		efree(random_prefix);
 		efree(new_state.cwd);
 		return -1;
 	}
 #endif
 
 #ifdef PHP_WIN32
 	cwdw = php_win32_ioutil_any_to_w(new_state.cwd);
-	pfxw = php_win32_ioutil_any_to_w(pfx);
-	if (!cwdw || !pfxw) {
+	random_prefix_w = php_win32_ioutil_any_to_w(random_prefix);
+	if (!cwdw || !random_prefix_w) {
 		free(cwdw);
-		free(pfxw);
+		free(random_prefix_w);
+		efree(random_prefix);
 		efree(new_state.cwd);
 		return -1;
 	}
 
-	if (GetTempFileNameW(cwdw, pfxw, 0, pathw)) {
+	if (GetTempFileNameW(cwdw, random_prefix_w, 0, pathw)) {
 		opened_path = php_win32_ioutil_conv_w_to_any(pathw, PHP_WIN32_CP_IGNORE_LEN, &opened_path_len);
 		if (!opened_path || opened_path_len >= MAXPATHLEN) {
 			free(cwdw);
-			free(pfxw);
+			free(random_prefix_w);
+			efree(random_prefix);
 			efree(new_state.cwd);
 			return -1;
 		}
@@ -165,7 +180,8 @@ static int php_do_open_temporary_file(const char *path, const char *pfx, zend_st
 		 * which means that opening it will fail... */
 		if (VCWD_CHMOD(opened_path, 0600)) {
 			free(cwdw);
-			free(pfxw);
+			free(random_prefix_w);
+			efree(random_prefix);
 			efree(new_state.cwd);
 			free(opened_path);
 			return -1;
@@ -174,7 +190,7 @@ static int php_do_open_temporary_file(const char *path, const char *pfx, zend_st
 	}
 
 	free(cwdw);
-	free(pfxw);
+	free(random_prefix_w);
 #elif defined(HAVE_MKSTEMP)
 	fd = mkstemp(opened_path);
 #else
@@ -194,6 +210,7 @@ static int php_do_open_temporary_file(const char *path, const char *pfx, zend_st
 	}
 #endif
 	efree(new_state.cwd);
+	efree(random_prefix);
 	return fd;
 }
 /* }}} */
