View Revisions: Issue #458

Summary 0000458: Check whether opendir() was successful
Revision 2016-04-25 08:07 by administrator
Description Hi folks,

WackoWiki is really a great tool, but it was utmost frustrating to getting it running properly.

This issue concerns the stable, testing and the development branch.
I really don't like Sourceforge, neither do I like that this shitty bugtracker system doesn't even have TLS... So sorry for not committing the patch.

Why is it a security concern? Because this can easily cause extreme load on the server by simply doing many requests which can even render the server unusuable.


You often do something like that when working with opendir:

                $directory = $this->config['cache_dir'].CACHE_PAGE_DIR;
                $handle = opendir(rtrim($directory, '/'));

                while (false !== ($file = readdir($handle)))
                {
                    if (is_file($directory.$file) &&
                    ((time() - @filemtime($directory.$file)) > $ttl))
                    {
                        @unlink($directory.$file);
                    }
                }

Minor beginner PHP mistake

The problem with that is, that you do a readdir($handle) before ever having checked whether the opendir() was successful.
What if the directory doesn't even exist or file permissions are set incorrectly???
As this part of the code is being executed at random times only, due to "$this->get_micro_time() % 3" you have a really, really annoying bug.

The simple fix is to only do the while-loop and the dirclose() if opendir() was successful:
                // delete from fs
                clearstatcache();

                $directory = rtrim($this->config['cache_dir'].CACHE_PAGE_DIR, '/');

                if($handle = opendir($directory))
                {
                    while (false !== ($file = readdir($handle)))
                    {
                        if (is_file($directory.$file) &&
                        ((time() - @filemtime($directory.$file)) > $ttl))
                        {
                            @unlink($directory.$file);
                        }
                    }

                    closedir($handle);
                }


Look at the example on http://php.net/manual/en/function.readdir.php

You did everything exactly the same way (even variable-naming), but forgot the if($handle = opendir("bla"))...

Greetz,
CodeFetch
Revision 2016-04-25 03:17 by CodeFetch
Description Hi folks,

WackoWiki is really a great tool, but it was utmost frustrating to getting it running properly.

This issue concerns the stable, testing and the development branch.
I really don't like Sourceforge, neither do I like that this shitty bugtracker system doesn't even have TLS... So sorry for not committing the patch.

Why is it a security concern? Because this can easily cause extreme load on the server by simply doing many requests which can even render the server unusuable.


You often do something like that when working with opendir:

                $directory = $this->config['cache_dir'].CACHE_PAGE_DIR;
                $handle = opendir(rtrim($directory, '/'));

                while (false !== ($file = readdir($handle)))
                {
                    if (is_file($directory.$file) &&
                    ((time() - @filemtime($directory.$file)) > $ttl))
                    {
                        @unlink($directory.$file);
                    }
                }


The problem with that is, that you do a readdir($handle) before ever having checked whether the opendir() was successful.
What if the directory doesn't even exist or file permissions are set incorrectly???
As this part of the code is being executed at random times only, due to "$this->get_micro_time() % 3" you have a really, really annoying bug.

The simple fix is to only do the while-loop and the dirclose() if opendir() was successful:
                // delete from fs
                clearstatcache();

                $directory = rtrim($this->config['cache_dir'].CACHE_PAGE_DIR, '/');

                if($handle = opendir($directory))
                {
                    while (false !== ($file = readdir($handle)))
                    {
                        if (is_file($directory.$file) &&
                        ((time() - @filemtime($directory.$file)) > $ttl))
                        {
                            @unlink($directory.$file);
                        }
                    }

                    closedir($handle);
                }


Look at the example on http://php.net/manual/en/function.readdir.php

You did everything exactly the same way (even variable-naming), but forgot the if($handle = opendir("bla"))...

Greetz,
CodeFetch