diff options
| author | Joe <krakjoe@php.net> | 2018-02-08 10:33:15 +0100 |
|---|---|---|
| committer | Joe <krakjoe@php.net> | 2018-02-08 10:34:38 +0100 |
| commit | c8e844be350c7684675d84cbd159d96deb6395b7 (patch) | |
| tree | 6bee640578798b18ebdeec84f3da368f9dbe54d5 | |
| parent | 748c40867b1b9c98bb64904ec45e1a0720739b4d (diff) | |
| parent | 44a1271ea0bd97eaeb237a3c26470e2172bcde2b (diff) | |
| download | php-git-c8e844be350c7684675d84cbd159d96deb6395b7.tar.gz | |
Merge branch 'PHP-7.2'
* PHP-7.2:
Fixed bug #65414
| -rw-r--r-- | NEWS | 2 | ||||
| -rw-r--r-- | ext/phar/phar_object.c | 10 | ||||
| -rw-r--r-- | ext/phar/tests/bug65414.phpt | 36 |
3 files changed, 45 insertions, 3 deletions
@@ -122,6 +122,8 @@ PHP NEWS - phar: . Fixed bug #74991 (include_path has a 4096 char limit in some cases). (bwbroersma) + . Fixed bug #65414 (deal with leading slash when adding files correctly). + (bishopb) - pgsql: . Added new error constants for pg_result_error(): (Kalle) diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c index 6234505995..6cbcfba8fb 100644 --- a/ext/phar/phar_object.c +++ b/ext/phar/phar_object.c @@ -3682,14 +3682,18 @@ PHP_METHOD(Phar, offsetGet) */ static void phar_add_file(phar_archive_data **pphar, char *filename, int filename_len, char *cont_str, size_t cont_len, zval *zresource) { + int start_pos=0; char *error; size_t contents_len; phar_entry_data *data; php_stream *contents_file; - if (filename_len >= (int)sizeof(".phar")-1 && !memcmp(filename, ".phar", sizeof(".phar")-1) && (filename[5] == '/' || filename[5] == '\\' || filename[5] == '\0')) { - zend_throw_exception_ex(spl_ce_BadMethodCallException, 0, "Cannot create any files in magic \".phar\" directory"); - return; + if (filename_len >= (int)sizeof(".phar")-1) { + start_pos = ('/' == filename[0] ? 1 : 0); /* account for any leading slash: multiple-leads handled elsewhere */ + if (!memcmp(&filename[start_pos], ".phar", sizeof(".phar")-1) && (filename[start_pos+5] == '/' || filename[start_pos+5] == '\\' || filename[start_pos+5] == '\0')) { + zend_throw_exception_ex(spl_ce_BadMethodCallException, 0, "Cannot create any files in magic \".phar\" directory"); + return; + } } if (!(data = phar_get_or_create_entry_data((*pphar)->fname, (*pphar)->fname_len, filename, filename_len, "w+b", 0, &error, 1))) { diff --git a/ext/phar/tests/bug65414.phpt b/ext/phar/tests/bug65414.phpt new file mode 100644 index 0000000000..964ec72870 --- /dev/null +++ b/ext/phar/tests/bug65414.phpt @@ -0,0 +1,36 @@ +--TEST-- +Bug #65414 Injection (A1) in .phar files magic .phar directory +--SKIPIF-- +<?php if (!extension_loaded("phar")) die("skip"); ?> +--INI-- +phar.readonly = 0 +--FILE-- +<?php +$phar = new \Phar(__DIR__ . '/bug65414.phar', 0, 'bug65414.phar'); +$bads = [ + '.phar/injected-1.txt', + '/.phar/injected-2.txt', + '//.phar/injected-3.txt', + '/.phar/', +]; +foreach ($bads as $bad) { + echo $bad . ':'; + try { + $phar->addFromString($bad, 'this content is injected'); + echo 'Failed to throw expected exception'; + } catch (BadMethodCallException $ex) { + echo $ex->getMessage() . PHP_EOL; + } +} +echo 'done' . PHP_EOL; +?> +--CLEAN-- +<?php +unlink(__DIR__ . '/bug65414.phar'); +?> +--EXPECT-- +.phar/injected-1.txt:Cannot create any files in magic ".phar" directory +/.phar/injected-2.txt:Cannot create any files in magic ".phar" directory +//.phar/injected-3.txt:Entry //.phar/injected-3.txt does not exist and cannot be created: phar error: invalid path "//.phar/injected-3.txt" contains double slash +/.phar/:Cannot create any files in magic ".phar" directory +done |