PHP :: Bug #64931 :: phar_add_file is too restrive on filename

Bug #64931

phar_add_file is too restrive on filename

Submitted:

2013-05-27 15:43 UTC

Modified:

Votes:	3
Avg. Score:	3.3 ± 1.2
Reproduced:	2 of 2 (100.0%)
Same Version:	1 (50.0%)
Same OS:	1 (50.0%)

From:

william dot martin at power-lan dot com

Assigned:

Status:

Closed

Package:

PHAR related

PHP Version:

5.4.15

OS:

Linux

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	william dot martin at power-lan dot com
New email:
PHP Version:		OS:

New Comment:

[2013-05-27 15:43 UTC] william dot martin at power-lan dot com

Description:
------------
The function phar_add_file start by test if we try to write something in the 
".phar" magic directory, but the test is in really : Does a filepath start by 
".phar" ?

So if you try to pack files likes ".pharignore", php throw an exception: "Error: 
Cannot create any files in magic ".phar" directory".

Test script:
---------------
<?php

touch(".pharignore");
$phar = new \Phar("foo.phar", 0, "foo.phar");
$phar->addFile(".pharignore", ".pharignore");

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2013-08-07 10:54 UTC] hanskrentel at yahoo dot de

According to the code, the error message is different to what the code does:

http://lxr.php.net/xref/PHP_5_4/ext/phar/phar_object.c#3708

The code checks if the filename starts with ".phar". The message says there would be a ".phar" directory (and that one is magic).

I don't know what is magic about ".phar". I guess the error message is not lying and it's about directory. And indeed one can find some more references to that string containing files like:

".phar/stub.php"
".phar/alias.txt"

A more proper check would probably to check for the sole string ".phar" (fixed length) or ".phar/" (for the start).

There are multiple places where the check is not done that consequently, for example as well in

http://lxr.php.net/xref/PHP_5_4/ext/phar/phar_object.c#3825

Taking the knowledge from those settings reveals the feature to create such files:

<?php
touch(".pharignore");
$phar = new \Phar("foo.phar", 0, "foo.phar");
$phar->addFile(".pharignore", "/.pharignore");
?>

This code creates the file ".pharignore" inside. It's also possible to add files inside the magic ".phar" folder for wich I'll create a new ticket.

[2013-08-07 11:02 UTC] hanskrentel at yahoo dot de

The related bug is: Sec Bug #65414

[2015-03-30 14:29 UTC] mike@php.net

Automatic comment on behalf of mike
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6480725007bdc5bab4f24ac481a4cb082074851d
Log: Fixed bug #64931

[2015-03-30 14:29 UTC] mike@php.net

-Status: Open +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 12:01:29 2024 UTC