Security: Path::Tiny::tempdir does not check for symlinks in DIR, leading to potential symlink attack

[phongguyen1]

The Path::Tiny::tempdir method does not verify if the DIR parameter is a symbolic link (symlink).

This allows the creation of temporary directories in unintended locations pointed to by symlinks, potentially exposing the application to symlink attacks.

This behavior poses a security risk, especially in multi-user environments where directories like /tmp are writable by all users.

I created a symlink: ln -s /tmp/phongexploit /tmp/phongdir

I think we should check if the DIR parameter is a symlink and either:

• Throw an error if a symlink is detected, or
• Resolve the symlink to its real path and create the temporary directory there, ensuring the operation is safe and predictable.

I used Perl v5.40.1, Path::Tiny v0.146

[ap]

Path::Tiny just uses File::Temp for this, so it does whatever File::Temp does. Is this a problem in Path::Tiny but not a problem in File::Temp, or should it be filed against File::Temp instead?

[stigtsp]

Possibly related to Perl-Toolchain-Gang/File-Temp#14 CVE-2011-4116 ?

[robrwo]

I am sceptical about this is being a security issue with Path::Tiny or File::Temp.

You specified the directory to create the temporary file in.

[phongguyen1]

Path::Tiny just uses File::Temp for this, so it does whatever File::Temp does. Is this a problem in Path::Tiny but not a problem in File::Temp, or should it be filed against File::Temp instead?

There’s already an issue related to this in File::Temp, see details at: Perl-Toolchain-Gang/File-Temp#14
Since Path::Tiny is a widely used wrapper, adding an extra check in Path::Tiny could enhance safety, even if File::Temp remains unchanged I think

[phongguyen1]

Possibly related to Perl-Toolchain-Gang/File-Temp#14 CVE-2011-4116 ?

Yes, it is related to Perl-Toolchain-Gang/File-Temp#14 CVE-2011-4116, as they also address symlink issues in temporary directory creation.

[phongguyen1]

I am sceptical about this is being a security issue with Path::Tiny or File::Temp.

You specified the directory to create the temporary file in.

I understand the point that I chose the /tmp/phongdir directory, but the issue is that tempdir doesn’t check if the specified directory is a symlink. I suggest adding a symlink check or automatically resolving the real path to mitigate this risk.

[robrwo]

I am sceptical about this is being a security issue with Path::Tiny or File::Temp.
You specified the directory to create the temporary file in.

I understand the point that I chose the /tmp/phongdir directory, but the issue is that tempdir doesn’t check if the specified directory is a symlink. I suggest adding a symlink check or automatically resolving the real path to mitigate this risk.

It gets more complicated when you have hardlinks to symlinks. It requires checking every component of the path.

It would make more sense to have a separate utility for checking paths for various kinds of safety, especially since this is an edge case.