- MFH: Fixed possible relative path issues in zip_open in TS mode (old API)

2025-08-16 05:58:45 +02:00 · 2007-03-14 11:32:25 +00:00 · 2007-03-14 11:32:25 +00:00 · b40b5b5305
commit b40b5b5305
parent 1c0b8e6f15
2 changed files with 12 additions and 0 deletions
--- a/1
+++ b/1
@ -15,6 +15,7 @@ PHP                                                                        NEWS
 - Added --ri switch to CLI which allows to check extension information. (Marcus)
 - Added tidyNode::getParent() method (John, Nuno)
 - Added openbasedir and safemode checks in zip:// stream wrapper (Pierre)
+- Fixed possible relative path issues in zip_open and TS mode (old API) (Pierre)
 - Fixed zend_llist_remove_tail (Michael Wallner, Dmitry)
 - Fixed a thread safety issue in gd gif read code (Nuno, Roman Nemecek)
 - Fixed CVE-2007-1001, GD wbmp used with invalid image size (Pierre)
--- a/ext/zip/php_zip.c
+++ b/ext/zip/php_zip.c
@ -616,16 +616,27 @@ static PHP_FUNCTION(zip_open)
 {
 	char     *filename;
 	int       filename_len;
+	char resolved_path[MAXPATHLEN + 1];
 	zip_rsrc *rsrc_int;
 	int err = 0;

 	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &filename, &filename_len) == FAILURE) {
 		return;
 	}
+
+	if (filename_len == 0) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Empty string as source");
+		RETURN_FALSE;
+	}
+
 	if (OPENBASEDIR_CHECKPATH(filename)) {
 		RETURN_FALSE;
 	}

+	if(!expand_filepath(filename, resolved_path TSRMLS_CC)) {
+		RETURN_FALSE;
+	}
+
 	rsrc_int = (zip_rsrc *)emalloc(sizeof(zip_rsrc));

 	rsrc_int->za = zip_open(filename, 0, &err);