archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-16 05:58:45 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Fix #81211: Symlinks are followed when creating PHAR archive

Browse source 
It is insufficient to check whether the `base` is contained in `fname`;
we also need to ensure that `fname` is properly separated.  And of
course, `fname` has to start with `base`.
This commit is contained in:
Christoph M. Becker 2021-08-23 13:42:17 +02:00 committed by Stanislav Malyshev
parent 53ea910d17
commit 2ff853aa11
No known key found for this signature in database
GPG key ID: 94B3CB48C3ECA219
3 changed files with 55 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

3
ext/phar/phar_object.c
View file

@ -1405,6 +1405,7 @@ static int phar_build(zend_object_iterator *iter, void *puser) /* {{{ */
zend_class_entry *ce = p_obj->c;
phar_archive_object *phar_obj = p_obj->p;
php_stream_statbuf ssb;
char ch;
value = iter->funcs->get_current_data(iter);
@ -1528,7 +1529,7 @@ phar_spl_fileinfo:
base = temp;
base_len = strlen(base);
if (strstr(fname, base)) {
if (fname_len >= base_len && strncmp(fname, base, base_len) == 0 && ((ch = fname[base_len - IS_SLASH(base[base_len - 1])]) == '\0' || IS_SLASH(ch))) {
str_key_len = fname_len - base_len;
if (str_key_len <= 0) {

45
ext/phar/tests/bug81211.phpt Normal file
View file

@ -0,0 +1,45 @@
--TEST--
Bug #81211 (Symlinks are followed when creating PHAR archive)
--SKIPIF--
<?php
if (!extension_loaded('phar')) die('skip phar extension is not available');
if (PHP_OS_FAMILY === 'Windows') {
if (false === include __DIR__ . '/../../standard/tests/file/windows_links/common.inc') {
die('skip windows_links/common.inc is not available');
}
skipIfSeCreateSymbolicLinkPrivilegeIsDisabled(__FILE__);
}
?>
--FILE--
<?php
mkdir(__DIR__ . '/bug81211');
mkdir(__DIR__ . '/bug81211/foobar');
mkdir(__DIR__ . '/bug81211/foo');
file_put_contents(__DIR__ . '/bug81211/foobar/file', 'this file should NOT be included in the archive!');
symlink(__DIR__ . '/bug81211/foobar/file', __DIR__ . '/bug81211/foo/symlink');
$archive = new PharData(__DIR__ . '/bug81211/archive.tar');
try {
$archive->buildFromDirectory(__DIR__ . '/bug81211/foo');
} catch (UnexpectedValueException $ex) {
echo $ex->getMessage(), PHP_EOL;
}
try {
$archive->buildFromIterator(new RecursiveDirectoryIterator(__DIR__ . '/bug81211/foo', FilesystemIterator::SKIP_DOTS), __DIR__ . '/bug81211/foo');
} catch (UnexpectedValueException $ex) {
echo $ex->getMessage(), PHP_EOL;
}
?>
--CLEAN--
<?php
@unlink(__DIR__ . '/bug81211/archive.tar');
@unlink(__DIR__ . '/bug81211/foo/symlink');
@unlink(__DIR__ . '/bug81211/foobar/file');
@rmdir(__DIR__ . '/bug81211/foo');
@rmdir(__DIR__ . '/bug81211/foobar');
@rmdir(__DIR__ . '/bug81211');
?>
--EXPECTF--
Iterator RecursiveIteratorIterator returned a path "%s%ebug81211\foobar\file" that is not in the base directory "%s%ebug81211\foo"
Iterator RecursiveDirectoryIterator returned a path "%s%ebug81211\foobar\file" that is not in the base directory "%s%ebug81211\foo"

9
ext/standard/tests/file/windows_links/common.inc
View file

@ -20,4 +20,11 @@ function get_mountvol() {
return "$sysroot\\System32\\mountvol.exe";
}
?>
function skipIfSeCreateSymbolicLinkPrivilegeIsDisabled(string $filename) {
$ln = "$filename.lnk";
$ret = exec("mklink $ln " . __FILE__ .' 2>&1', $out);
@unlink($ln);
if (strpos($ret, 'privilege') !== false) {
die('skip SeCreateSymbolicLinkPrivilege not enabled');
}
}