DEVHIDE
Login Or Sign up

PHP constant-time realpath()?

78 Views Asked by At

I'm looking for a constant-time implementation of realpath() , does one exist?

I'm in a situation where a malicious actor may control the argument for realpath(), and could theoretically use a timing attack to deduce if realpath() pointed to a real file or not.

php timing realpath timing-attack
Original Q&A
1

There are 1 best solutions below

0
On

this should work, 

function realpath_constant_time(string $path, float $target_seconds, bool &$constant_time_success = null){
    $start_time=microtime(true);
    $ret=realpath($path);
    $constant_time_success = @time_sleep_until($start_time+$target_seconds);
    return $ret;
}

for example, a realtime that always uses exactly 1 millisecond (should be more than enough for SSD-based servers, perhaps rotating harddrive based servers may need something closer to 10 milliseconds, i don't know):

realpath_constant_time("/path/to/../to/file.txt",0.001,$constant_time_success);

and you can use $constant_time_success to check if it was actually constant-time, or if you needed to set a higher value..

Related Questions in PHP

Related Questions in TIMING

Related Questions in REALPATH

Related Questions in TIMING-ATTACK

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.