Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:57805
Return-Path: <ondrej@sury.org>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 92267 invoked from network); 9 Feb 2012 00:35:43 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 9 Feb 2012 00:35:43 -0000
Authentication-Results: pb1.pair.com header.from=ondrej@sury.org; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=ondrej@sury.org; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain sury.org designates 209.85.220.170 as permitted sender)
X-PHP-List-Original-Sender: ondrej@sury.org
X-Host-Fingerprint: 209.85.220.170 mail-vx0-f170.google.com  
Received: from [209.85.220.170] ([209.85.220.170:43594] helo=mail-vx0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 61/31-17591-ED4133F4 for <internals@lists.php.net>; Wed, 08 Feb 2012 19:35:42 -0500
Received: by vcbfk13 with SMTP id fk13so886854vcb.29
        for <internals@lists.php.net>; Wed, 08 Feb 2012 16:35:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sury.org; s=google;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc:content-type:content-transfer-encoding;
        bh=kStrtKQZ5JuBl+P3LpyV3j+Ri9SAL88IbOI0mdAnAaA=;
        b=dKESeBWOKya3PkuXu8W1BEY+ghxoqxn8KDTcxi+eQEnkvgpZhM86Gqfe89Yoki/fzQ
         Dv3UDTnwiuVjJebP7LHe1Kt0rSvBMLBiKHLBrdeUEfg80YQDr5DuzVBAxWtDh4prGfbK
         vLIeJLtESVkxjJh7gFoy5wO3cmO/pIXjQtAMM=
Received: by 10.52.99.231 with SMTP id et7mr12925374vdb.114.1328747739193;
 Wed, 08 Feb 2012 16:35:39 -0800 (PST)
MIME-Version: 1.0
Received: by 10.220.7.16 with HTTP; Wed, 8 Feb 2012 16:35:19 -0800 (PST)
In-Reply-To: <4F330896.4070802@thelounge.net>
References: <CALjhHG8D3DG9miWSVb9X848WAm+HneoBQ_c5O+TiNy5YmbeaxQ@mail.gmail.com>
 <4F330896.4070802@thelounge.net>
Date: Thu, 9 Feb 2012 01:35:19 +0100
Message-ID: <CALjhHG-2pMd9vYpTvFWaJfJHhF1K_sVS4Dm1O682gBLrrgT_2Q@mail.gmail.com>
To: Reindl Harald <h.reindl@thelounge.net>
Cc: internals@lists.php.net
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] Security risk how to use find recommended in php.ini-*
From: ondrej@sury.org (=?UTF-8?B?T25kxZllaiBTdXLDvQ==?=)

On Thu, Feb 9, 2012 at 00:40, Christopher Jones
<christopher.jones@oracle.com> wrote:
> Can you log a bug for this at https://bugs.php.net/ ?

Done: https://bugs.php.net/bug.php?id=3D61020

On Thu, Feb 9, 2012 at 00:43, Reindl Harald <h.reindl@thelounge.net> wrote:
> the main question is why here "cmin" is used instead "mmin"?
> find /var/www/sessiondata -type f -mmin +60 -exec rm -f {} \; 2> /dev/nul=
l > /dev/null

Good question about -cmin vs -mmin, but the rest of the command is so much =
wrong
in so many places. Here's the GNU find manual online[1].

-exec rm -f {} \;
* prone to symlink attack (see the bugreport)
* forcing rm here is only hiding possible errors

2>/dev/null 1>/dev/null
* only hiding possible errors

O.
1. http://www.gnu.org/software/findutils/manual/html_node/find_html/Securit=
y-Considerations-for-find.html
--=20
=EF=BB=BFOnd=C5=99ej Sur=C3=BD <ondrej@sury.org>