Description:
------------
This issue is somewhat similar to http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5658 but more limited: it only allows you to create new directories, not files.

Inside php_zip.c there's a function called php_zip_make_relative_path which is used to sanitize the file path when extracting a file/directory from a ZIP. When extracting a file the sanitized pathname is used, so files are only created inside of the directory where they're being extracted. However, for directories, the unsanitized/user-provided "file" value is used instead of the sanitized"path_cleaned" value (https://github.com/php/php-src/blob/026b41ba664bd8f76d6d201d7af8e70c8b650194/ext/zip/php_zip.c#L172-L176). As a result, a directory can be created outside of the directory where a ZIP file is being extracted.

Compared to CVE-2008-5658 this is a much more minor issue since it is limited to the creation of directories rather than files. This issue appears to have been previously reported as #67996 but was closed as not a bug.

Test script:
---------------
<?php
$archive = new ZipArchive();
$archive->open('a.zip',ZipArchive::CREATE);
$archive->addEmptyDir("../down2/");
$archive->close();

$archive2 = new ZipArchive();
$archive2->open('a.zip');
$archive2->extractTo('.');
$archive2->close();

Expected result:
----------------
A directory called down2 is created inside of .

Actual result:
--------------
A directory called down2 is created inside of the parent directory.