I'm looking for a constant-time implementation of realpath() , does one exist?
I'm in a situation where a malicious actor may control the argument for realpath(), and could theoretically use a timing attack to deduce if realpath() pointed to a real file or not.
this should work,
function realpath_constant_time(string $path, float $target_seconds, bool &$constant_time_success = null){
$start_time=microtime(true);
$ret=realpath($path);
$constant_time_success = @time_sleep_until($start_time+$target_seconds);
return $ret;
}
for example, a realtime that always uses exactly 1 millisecond (should be more than enough for SSD-based servers, perhaps rotating harddrive based servers may need something closer to 10 milliseconds, i don't know):
realpath_constant_time("/path/to/../to/file.txt",0.001,$constant_time_success);
and you can use $constant_time_success to check if it was actually constant-time, or if you needed to set a higher value..