archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-16 14:08:47 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Fixed bug #65414

Browse source
This commit is contained in:
Bishop Bettini 2018-02-01 21:29:37 -05:00 committed by Joe
parent 01eafceea1
commit d806d0315f
No known key found for this signature in database
GPG key ID: F9BA0ADA31CBD89E
3 changed files with 47 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

4
NEWS
View file

@ -12,6 +12,10 @@ PHP NEWS
- ODBC: - ODBC:
. Fixed bug #73725 (Unable to retrieve value of varchar(max) type). (Anatol) . Fixed bug #73725 (Unable to retrieve value of varchar(max) type). (Anatol)
- Phar:
. Fixed bug #65414 (deal with leading slash when adding files correctly).
(bishopb)
- SPL: - SPL:
. Fixed bug #74519 (strange behavior of AppendIterator). (jhdxr) . Fixed bug #74519 (strange behavior of AppendIterator). (jhdxr)

10
ext/phar/phar_object.c
View file

@ -3635,14 +3635,18 @@ PHP_METHOD(Phar, offsetGet)
*/ */
static void phar_add_file(phar_archive_data **pphar, char *filename, int filename_len, char *cont_str, size_t cont_len, zval *zresource) static void phar_add_file(phar_archive_data **pphar, char *filename, int filename_len, char *cont_str, size_t cont_len, zval *zresource)
{ {
int start_pos=0;
char *error; char *error;
size_t contents_len; size_t contents_len;
phar_entry_data *data; phar_entry_data *data;
php_stream *contents_file; php_stream *contents_file;
if (filename_len >= (int)sizeof(".phar")-1 && !memcmp(filename, ".phar", sizeof(".phar")-1) && (filename[5] == '/' || filename[5] == '\\' || filename[5] == '\0')) { if (filename_len >= (int)sizeof(".phar")-1) {
zend_throw_exception_ex(spl_ce_BadMethodCallException, 0, "Cannot create any files in magic \".phar\" directory"); start_pos = ('/' == filename[0] ? 1 : 0); /* account for any leading slash: multiple-leads handled elsewhere */
return; if (!memcmp(&filename[start_pos], ".phar", sizeof(".phar")-1) && (filename[start_pos+5] == '/' || filename[start_pos+5] == '\\' || filename[start_pos+5] == '\0')) {
zend_throw_exception_ex(spl_ce_BadMethodCallException, 0, "Cannot create any files in magic \".phar\" directory");
return;
}
} }
if (!(data = phar_get_or_create_entry_data((*pphar)->fname, (*pphar)->fname_len, filename, filename_len, "w+b", 0, &error, 1))) { if (!(data = phar_get_or_create_entry_data((*pphar)->fname, (*pphar)->fname_len, filename, filename_len, "w+b", 0, &error, 1))) {

36
ext/phar/tests/bug65414.phpt Normal file
View file

@ -0,0 +1,36 @@
--TEST--
Bug #65414 Injection (A1) in .phar files magic .phar directory
--SKIPIF--
<?php if (!extension_loaded("phar")) die("skip"); ?>
--INI--
phar.readonly = 0
--FILE--
<?php
$phar = new \Phar(__DIR__ . '/bug65414.phar', 0, 'bug65414.phar');
$bads = [
'.phar/injected-1.txt',
'/.phar/injected-2.txt',
'//.phar/injected-3.txt',
'/.phar/',
];
foreach ($bads as $bad) {
echo $bad . ':';
try {
$phar->addFromString($bad, 'this content is injected');
echo 'Failed to throw expected exception';
} catch (BadMethodCallException $ex) {
echo $ex->getMessage() . PHP_EOL;
}
}
echo 'done' . PHP_EOL;
?>
--CLEAN--
<?php
unlink(__DIR__ . '/bug65414.phar');
?>
--EXPECT--
.phar/injected-1.txt:Cannot create any files in magic ".phar" directory
/.phar/injected-2.txt:Cannot create any files in magic ".phar" directory
//.phar/injected-3.txt:Entry //.phar/injected-3.txt does not exist and cannot be created: phar error: invalid path "//.phar/injected-3.txt" contains double slash
/.phar/:Cannot create any files in magic ".phar" directory
done