PHP :: Bug #73910 :: Missing null byte checks for paths in ZipArchive::extractTo

Bug #73910	Missing null byte checks for paths in ZipArchive::extractTo
Submitted:	2017-01-10 20:32 UTC	Modified:	2017-01-16 07:05 UTC
From:	max at cert dot cx	Assigned:	stas (profile)
Status:	Closed	Package:	Zip Related
PHP Version:	5.6.29	OS:	*
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	max at cert dot cx
New email:
PHP Version:		OS:

New Comment:

[2017-01-10 20:32 UTC] max at cert dot cx

Description:
------------
ZipArchive->extractTo() doesn’t ensure that pathnames lack NULL byte, which might allow attacker to manipulate the directory path.

Affected method:
------------------------------------------
static ZIPARCHIVE_METHOD(extractTo)
{
    struct zip *intern;
 
    zval *self = getThis();
    zval *zval_files = NULL;
    zval *zval_file = NULL;
    php_stream_statbuf ssb
;..
    if (!self) {
        RETURN_FALSE;
    }
 
    if (zend_parse_parameters(ZEND_NUM_ARGS(), "s|z", &pathto, &pathto_len, &zval_files) == FAILURE) {
        return;
    }
 
    if (pathto_len < 1) {
        RETURN_FALSE;
    }
------------------------------------------




Test script:
---------------
<?php

if(file_exists("LEVELA/EXTRACTED__HERE")) echo "LEVELA/EXTRACTED__HERE EXISTS!!!1\n";
if(file_exists("LEVELA/LEVELB/EXTRACTED__HERE")) echo "LEVELB/EXTRACTED__HERE EXISTS!!!2\n";

$zip = new ZipArchive;
if ($zip->open('toPack/EXTRACTED__HERE.zip') === TRUE) {
   $zip->extractTo("./LEVELA/\0LEVELB");
   $zip->close();
   echo "ok\n";
} else {
   echo "failed\n";
}

if(file_exists("LEVELA/EXTRACTED__HERE")) echo "LEVELA/EXTRACTED__HERE EXISTS!!!3\n";
if(file_exists("LEVELA/LEVELB/EXTRACTED__HERE")) echo "LEVELB/EXTRACTED__HERE EXISTS!!!4\n";

?>

Expected result:
----------------
expected parameter not string

Actual result:
--------------
# php zip.php 
ok
LEVELA/EXTRACTED__HERE EXISTS!!!3

Patches

fix-73910 (last revision 2017-01-12 01:05 UTC by cmb@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2017-01-12 00:09 UTC] cmb@php.net

-Package: zip +Package: Zip Related

[2017-01-12 00:52 UTC] cmb@php.net

-Summary: Missing null byte checks for paths in ZipArchive -> extractTo +Summary: Missing null byte checks for paths in ZipArchive::extractTo -Status: Open +Status: Verified -PHP Version: 7.1.0 +PHP Version: 5.6.29

[2017-01-12 01:05 UTC] cmb@php.net

The following patch has been added/updated:

Patch Name: fix-73910
Revision:   1484183147
URL:        https://bugs.php.net/patch-display.php?bug=73910&patch=fix-73910&revision=1484183147

[2017-01-12 01:31 UTC] cmb@php.net

-Operating System: BSD +Operating System: *

[2017-01-16 01:36 UTC] stas@php.net

-Status: Verified +Status: Closed -Type: Security +Type: Bug -Assigned To: +Assigned To: stas

[2017-01-16 01:36 UTC] stas@php.net

The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

[2017-01-16 07:05 UTC] max at cert dot cx

in your opinion it is a security flaw? If not, what is the difference between CVE-2015-4598, CVE-2015-3412, CVE-2015-3411 and this vulnerability?

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Jan 14 04:01:29 2025 UTC