php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #77214 ZipArchive::extractTo() errors on directories ending with .
Submitted: 2018-11-28 16:21 UTC Modified: 2018-11-28 19:19 UTC
Votes:6
Avg. Score:3.8 ± 1.1
Reproduced:6 of 6 (100.0%)
Same Version:1 (16.7%)
Same OS:5 (83.3%)
From: nystrom dot lars dot egon at gmail dot com Assigned:
Status: Verified Package: Zip Related
PHP Version: 7.2.12 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: nystrom dot lars dot egon at gmail dot com
New email:
PHP Version: OS:

 

 [2018-11-28 16:21 UTC] nystrom dot lars dot egon at gmail dot com 
Description:
------------
This is closely related to bug #69477, but I'm experiencing a different behavior.

When you have a zip archive that contains a directory with a name that ends with . (a dot) ZipArchive errors out with the message:

ZipArchive::extractTo(/path/to/extract/to/): failed to open stream: Is a directory



Test script:
---------------
$extractPath = "/path/to/extract/to";
$zip = new ZipArchive;
$zip->open("/path/to/zipfile");
// Next line causes the error if the zip file contains a directory named 'myfolder.'
$zip->extractTo($extractPath, ['myfolder.']);

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-11-28 19:19 UTC] cmb@php.net
-Status: Open +Status: Verified
 [2018-11-28 19:19 UTC] cmb@php.net 
I get this error message if the archive contains an *empty*
directory entry with a trailing dot.  Test script:

    <?php

    $zip = new ZipArchive;
    $zip->open(__DIR__ . '/77214.zip', ZipArchive::CREATE | ZipArchive::OVERWRITE);
    $zip->addEmptyDir('foo.');
    $zip->close();

    $zip->open(__DIR__ . '/77214.zip');
    $zip->extractTo(__DIR__ . '/77214');
    $zip->close();

The culprit is php_zip_make_relative_path()[1], which mistakenly
returns an empty string instead of "foo."

[1] <https://github.com/php/php-src/blob/php-7.3.0RC6/ext/zip/php_zip.c#L115-L130>
 [2021-01-14 18:58 UTC] david at moodle dot com 
I was experiencing this problem as well and I was able to debug it to what I believe causes the bug.

Let us have a simple ZIP archive to reproduce the problem, having a single file with the path

    dot./sub/file.txt

When using ZipArchive::extractTo() to extract this file, the file was actually extracted into

    sub/file.txt

Looking at the function source code at https://github.com/php/php-src/blob/533af1eb14dbeb10c83f291b07da62b70d0df8ae/ext/zip/php_zip.c#L2714 I saw that it calls `php_zip_extract_file()` from the same file to do the job.

The function in turn calls `php_zip_make_relative_path()` to clean the file paths and avoid path traversal attack - see https://github.com/php/php-src/blob/533af1eb14dbeb10c83f291b07da62b70d0df8ae/ext/zip/php_zip.c#L146-L150

From the implementation of `php_zip_make_relative_path()` at https://github.com/php/php-src/blob/533af1eb14dbeb10c83f291b07da62b70d0df8ae/ext/zip/php_zip.c#L83-L117 I understood that it iterates through the file path from the end to the start and when it finds a slash character with a dot before it, it trims that whole part and starts from the position after the slash.

I believe that is wrong. To avoid traversal attack, it should check for two dots before the slash (like ../something). Also it seems there seems to be off-by-one mistake as the comment there reads "i is the position of ." but I think that i is the position of the slash.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 13:01:29 2024 UTC