EDIT: Austin below in the comments resolved my issue. How do I close the question since that is the answer?
I have the following simple code to open/write to a query file on my server. I've checked permissions and even set +rw for all users on the query file, yet I still get the error
failed to open stream: resource temporarily unavailable
in my apache error log.
I'm not really sure what I can do to alleviate this issue, thoughts?
<?php
// filepaths
$queryFile = '../query/query.txt';
// get query
$query = $_GET['searchBox'];
// open and write query to query file
$fh = fopen($queryFile, 'X') or die("Can't open file");
fwrite($fh, $query);
fclose($fh);
It could only be one of a few things:
The PHP process is out of memory, file handles, or similar
The PHP environment's own limitations are exceeded somehow
The file itself has some limitation, such as a SELinux (Security Enhanced Linux) restriction.
To determine which it is, try opening the file outside PHP. Temporarily alter the script to open a different file. Look at what else the script does to validate whether it could possibly be running out of file handles, etc.
What does is_file($queryFile) and is_writable($queryFile) reveal? Maybe you are not in the correct working directory?
The parameter 'X' should be lowercase.
Related
I have an application that reads an IP and port from a file and then opens a HTTP connection to the address read. To be a little more sure that I'm connecting to the server I want to connect to I only want to trust the contents of the file if it's owned by root and not writable by anyone else.
I could check the owner and mode with fs.stat and then read the file contents but that would introduce a race condition.
Is there a way to atomically check the owner and the mode and read the file contents?
I dont think that with fs.stat you are introducing a race condition because you are only reading it and not writing on it, so i think that the solution that you found is the best one, right now.
You can maybe add a boolean variable to check if a function is still "reading" the file (after reading should set the boolean), to avoid problems.
I want to create a simple console application that would compare two files based on their filename and output the result into a new file.
My problem is that NodeJS refuses to create a new file if it doesn't exist, and acts like it doesn't exist even if I create it manually.
compare = (data) -> # data is being read from process.stdin
fname = "#{data}_compare.txt"
stdout.write "Attempting to compare #{data}" # stdout = process.stdout
fs.writeFileSync fname, 'A test.'
NodeJS returns Error: ENOENT, no such file or directory in both cases (when I want it to create the file, as well as when the file already exists).
I want the file to be created in the same folder from where the application is run, so path shouldn't be an issue at all (and indeed is correct in the error message).
I tried to specify {flags: 'w'} too, but as far as I know, that's the default value anyways, so it changed noting.
I'm running on Windows 10, tried running command prompt under administrator too, still nothing. Any idea what could be causing this?
The data variable is read from stdin and therefore contains a newline at the end. This is probably what's causing the non-descriptive ENOENT error.
You can remove the newline (and any other whitespace that user might have accidentally entered) with data = data.trim()
This would be better than the substring solution since the newline is 2 characters only on Windows and 1 character elsewhere.
Make sure the path exists (not necessarily the file itself, but the folder structure), and that the process user has write permissions.
An ENOENT error tells you that a component of the specified pathname does not exist -- no entity (file or directory) could be found by the given path.
Make sure you are putting the 'dot':
'./path/to/file'
I have a Java Web App running on Tomcat on which I'm supposed to exploit Path traversal vulnerability. There is a section (in the App) at which I can upload a .zip file, which gets extracted in the server's /tmp directory. The content of the .zip file is not being checked, so basically I could put anything in it. I tried putting a .jsp file in it and it extracts perfectly. My problem is that I don't know how to reach this file as a "normal" user from browser. I tried entering ../../../tmp/somepage.jsp in the address bar, but Tomcat just strips the ../ and gives me http://localhost:8080/tmp/ resource not available.
Ideal would be if I could somehow encode ../ in the path of somepage.jsp so that it gets extracted in the web riot directory of the Web App. Is this possible? Are there maybe any escape sequences that would translate to ../ after extracting?
Any ideas would be highly appreciated.
Note: This is a school project in a Security course where I'm supposed to locate vulnerabilities and correct them. Not trying to harm anyone...
Sorry about the downvotes. Security is very important, and should be taught.
Do you pass in the file name to be used?
The check that the server does is probably something something like If location starts with "/tmp" then allow it. So what you want to do is pass `/tmp/../home/webapp/"?
Another idea would be to see if you could craft a zip file that would result in the contents being moved up - like if you set "../" in the filename inside the zip, what would happen? You might need to manually modify things if your zip tools don't allow it.
To protect against this kind of vulnerability you are looking for something like this:
String somedirectory = "c:/fixed_directory/";
String file = request.getParameter("file");
if(file.indexOf(".")>-1)
{
//if it contains a ., disallow
out.print("stop trying to hack");
return;
}
else
{
//load specified file and print to screen
loadfile(somedirectory+file+".txt");
///.....
}
If you just were to pass the variable "file" to your loadfile function without checking, then someone could make a link to load any file they want. See https://www.owasp.org/index.php/Path_Traversal
Dear Stack Overflow users,
I would appreciate you kind help with the following problem:
We have an Apache server functioning as a forward proxy, with ext_filter configured: whenever the response is of MIME type PDF, the filter is called (a perl script), and the PDF's content may be read from the STDIN. We read the PDF from STDIN, write it to a file and that's all. This almost always work well, but on one specific website, the PDF is malformed when written in the following way:
my $input_file = shift;
binmode STDIN;
open(OUT, ">" . $input_file);
binmode OUT;
foreach my $line (<STDIN>){
print OUT $line;
}
close OUT;
If we instead call 'tee' (set the filter to use 'tee')- the file is written correctly. Analyzing the malformed PDF shows that the xref table is malformed in the PDF we write and Adobe Reader fails to open it. We have already tried using sysopen,sysread etc. , using ":raw", and several other ways to write a binary file properly, and nothing worked (cut&paste code from documnetation for writing binary files). Only when using the 'tee' utility in linux as the filter, it was written correctly. This doesn't help us- we need to be able to write it to a file from stdin as part of the perl script. Any suggestions? If there could be a way to somehow call 'tee' with a system call, and give it STDIN of the perl program- it might could work. Many thanks in advance.
Well, although the code was basiclly correct, putting it inside "eval" somehow ruined thd PDF.
I still don't understand why, but deleting the eval solved the problem.
The perl is called from a context of ext_filter module of Apache.
I'll farther investigate this and update when I'll find an explanation for this.
Thanks for everyone.
I have a problem that closely relates to this problem Microsoft Excel Error: "There was a problem sending the command to the program." whereby opening Excel gives There was an error sending a command to the program error.
However, rather than the file existing and being opened or shortcutted-to, I am using MVC3 with an action that generates a bunch of data, generates an excel file (using NPOI), writes it to a MemoryStream and then chucks that to the browser using the built-in return File(etc) ActionResult, with something akin (but shortened here to aid readability) to this:
return File(myMemoryStream, "application/vnd.ms-excel", "filename.xls");
The first time you click the link which fires this action and returns this File - it comes up with the error. if you press ok and try it again it works, and will continue to work... forever
Now I know this is potentially something to do with disabling DDE/plug-ins or something in Excel - but since I'm generating an excel workbook and dumping it to a memory stream rather than opening something that exists permanently on the file system, I'm not sure what options I have to remove the issue.
Any suggestions on how to get around it? Perhaps I have the wrong mime-type?
The Content-Type application/vnd.ms-excel is sending the command to the Browser to open the file in the Browser. Which can be the cause of issue. Try setting the content type to application/x-msexcel.
In your example the browser will try to open an Excel spreadsheet in the browser (if the user has Excel installed).
return File(myMemoryStream, "application/vnd.ms-excel", "filename.xls")
Please make the following change
return File(myMemoryStream, "application/x-ms-excel", "filename.xls")