php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73910 Missing null byte checks for paths in ZipArchive::extractTo
Submitted: 2017-01-10 20:32 UTC Modified: 2017-01-16 07:05 UTC
From: max at cert dot cx Assigned: stas (profile)
Status: Closed Package: Zip Related
PHP Version: 5.6.29 OS: *
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: max at cert dot cx
New email:
PHP Version: OS:

 

 [2017-01-10 20:32 UTC] max at cert dot cx
Description:
------------
ZipArchive->extractTo() doesn’t ensure that pathnames lack NULL byte, which might allow attacker to manipulate the directory path.

Affected method:
------------------------------------------
static ZIPARCHIVE_METHOD(extractTo)
{
    struct zip *intern;
 
    zval *self = getThis();
    zval *zval_files = NULL;
    zval *zval_file = NULL;
    php_stream_statbuf ssb
;..
    if (!self) {
        RETURN_FALSE;
    }
 
    if (zend_parse_parameters(ZEND_NUM_ARGS(), "s|z", &pathto, &pathto_len, &zval_files) == FAILURE) {
        return;
    }
 
    if (pathto_len < 1) {
        RETURN_FALSE;
    }
------------------------------------------




Test script:
---------------
<?php

if(file_exists("LEVELA/EXTRACTED__HERE")) echo "LEVELA/EXTRACTED__HERE EXISTS!!!1\n";
if(file_exists("LEVELA/LEVELB/EXTRACTED__HERE")) echo "LEVELB/EXTRACTED__HERE EXISTS!!!2\n";

$zip = new ZipArchive;
if ($zip->open('toPack/EXTRACTED__HERE.zip') === TRUE) {
   $zip->extractTo("./LEVELA/\0LEVELB");
   $zip->close();
   echo "ok\n";
} else {
   echo "failed\n";
}

if(file_exists("LEVELA/EXTRACTED__HERE")) echo "LEVELA/EXTRACTED__HERE EXISTS!!!3\n";
if(file_exists("LEVELA/LEVELB/EXTRACTED__HERE")) echo "LEVELB/EXTRACTED__HERE EXISTS!!!4\n";

?>

Expected result:
----------------
expected parameter not string

Actual result:
--------------
# php zip.php 
ok
LEVELA/EXTRACTED__HERE EXISTS!!!3

Patches

fix-73910 (last revision 2017-01-12 01:05 UTC by cmb@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-01-12 00:09 UTC] cmb@php.net
-Package: zip +Package: Zip Related
 [2017-01-12 00:52 UTC] cmb@php.net
-Summary: Missing null byte checks for paths in ZipArchive -> extractTo +Summary: Missing null byte checks for paths in ZipArchive::extractTo -Status: Open +Status: Verified -PHP Version: 7.1.0 +PHP Version: 5.6.29
 [2017-01-12 01:05 UTC] cmb@php.net
The following patch has been added/updated:

Patch Name: fix-73910
Revision:   1484183147
URL:        https://bugs.php.net/patch-display.php?bug=73910&patch=fix-73910&revision=1484183147
 [2017-01-12 01:31 UTC] cmb@php.net
-Operating System: BSD +Operating System: *
 [2017-01-16 01:36 UTC] stas@php.net
-Status: Verified +Status: Closed -Type: Security +Type: Bug -Assigned To: +Assigned To: stas
 [2017-01-16 01:36 UTC] stas@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2017-01-16 07:05 UTC] max at cert dot cx
in your opinion it is a security flaw? If not, what is the difference between CVE-2015-4598, CVE-2015-3412, CVE-2015-3411 and this vulnerability?
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Dec 26 17:01:31 2024 UTC