hanshenrik
Reputation: 21493
PHP constant-time realpath()?
I'm looking for a constant-time implementation of realpath() , does one exist?
I'm in a situation where a malicious actor may control the argument for realpath(), and could theoretically use a timing attack to deduce if realpath() pointed to a real file or not.
Upvotes: 0
Views: 71
Answers (1)
hanshenrik
Reputation: 21493
this should work,
function realpath_constant_time(string $path, float $target_seconds, bool &$constant_time_success = null){
$start_time=microtime(true);
$ret=realpath($path);
$constant_time_success = @time_sleep_until($start_time+$target_seconds);
return $ret;
}
for example, a realtime that always uses exactly 1 millisecond (should be more than enough for SSD-based servers, perhaps rotating harddrive based servers may need something closer to 10 milliseconds, i don't know):
realpath_constant_time("/path/to/../to/file.txt",0.001,$constant_time_success);
and you can use $constant_time_success to check if it was actually constant-time, or if you needed to set a higher value..
Upvotes: 0
Related Questions
- Why use realpath()?
- Is RealPath safe?
- How can I tune the PHP realpath cache?
- Timing attack with PHP
- What is realpath_cache in PHP?
- How does PHP realpath cache work under the hood?
- php, realpath versus realpath + file_exists usage
- Replace PHP's realpath()
- PHP timing mechanism
- "real" execution time limit