|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2013-12-19 10:00 UTC] remi@php.net
-Status: Open
+Status: Closed
-Assigned To:
+Assigned To: remi
[2013-12-19 10:00 UTC] remi@php.net
[2016-05-14 15:15 UTC] kaplan@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Tue Mar 04 06:01:27 2025 UTC |
Description: ------------ the PHP function ZipArchive::open() use 'filename_len' from parmeter as ze_obj->filename's length( ze_obj->filename_len ),called the function expand_filepath the resolved_path's length may less than filename's length。Although there was not where to use ze_obj->filename_len at present, i think it was a security risk, maybe someday. ============================================= if (!expand_filepath(filename, resolved_path TSRMLS_CC)) { RETURN_FALSE; } if (ze_obj->za) { /* we already have an opened zip, free it */ if (zip_close(ze_obj->za) != 0) { _zip_free(ze_obj->za); } ze_obj->za = NULL; } if (ze_obj->filename) { efree(ze_obj->filename); ze_obj->filename = NULL; } intern = zip_open(resolved_path, flags, &err); if (!intern || err) { RETURN_LONG((long)err); } ze_obj->filename = estrdup(resolved_path); // here is use resolved_path as filename ze_obj->filename_len = filename_len; // but here is use len from args ze_obj->za = intern; RETURN_TRUE; Test script: --------------- <?php $zip = new ZipArchive; $fn = "/../../../../root/test.zip"; #var_dump( $fn ); $res = $zip->open($fn); if ($res === TRUE) { echo 'ok'; $zip->extractTo('test'); $zip->close(); } else { echo 'failed, code:' . $res; } ?>