Security: Disallow writing temporary files to symlinks (bug #855)

Cc @peterpp

adminer/include/auth.inc.php

@@ -19,7 +19,17 @@ if ($_COOKIE["adminer_permanent"]) {
 
 function add_invalid_login() {
 	global $adminer;
-	$fp = file_open_lock(get_temp_dir() . "/adminer.invalid");
+	$base = get_temp_dir() . "/adminer.invalid";
+	// adminer.invalid may not be writable by us, try the files with random suffixes
+	foreach (glob("$base*") ?: array($base) as $filename) {
+		$fp = file_open_lock($filename);
+		if ($fp) {
+			break;
+		}
+	}
+	if (!$fp) {
+		$fp = file_open_lock("$base-" . rand_string());
+	}
 	if (!$fp) {
 		return;
 	}
@@ -42,7 +52,15 @@ function add_invalid_login() {
 
 function check_invalid_login() {
 	global $adminer;
-	$invalids = unserialize(@file_get_contents(get_temp_dir() . "/adminer.invalid")); // @ - may not exist
+	$invalids = array();
+	foreach (glob(get_temp_dir() . "/adminer.invalid*") as $filename) {
+		$fp = file_open_lock($filename);
+		if ($fp) {
+			$invalids = unserialize(stream_get_contents($fp));
+			file_unlock($fp);
+			break;
+		}
+	}
 	$invalid = ($invalids ? $invalids[$adminer->bruteForceKey()] : array());
 	$next_attempt = ($invalid[1] > 29 ? $invalid[0] - time() : 0); // allow 30 invalid attempts
 	if ($next_attempt > 0) { //! do the same with permanent login

adminer/include/functions.inc.php

@@ -799,6 +799,9 @@ function get_temp_dir() {
 * @return resource or null for error
 */
 function file_open_lock($filename) {
+	if (is_link($filename)) {
+		return; // https://cwe.mitre.org/data/definitions/61.html
+	}
 	$fp = @fopen($filename, "c+"); // @ - may not be writable
 	if (!$fp) {
 		return;

changes.txt

@@ -2,6 +2,7 @@ Adminer dev:
 Align numbers right (bug #912)
 Remember export setting at SQL command
 SQL textarea: Open help on Ctrl+click
+Security: Disallow writing temporary files to symlinks (bug #855)
 MariaDB: Display MariaDB instead of MySQL
 CSS: Dark mode syntax highlighting
 Designs named adminer-dark.css use dark basic style