php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #64931 phar_add_file is too restrive on filename
Submitted: 2013-05-27 15:43 UTC Modified: -
Votes:3
Avg. Score:3.3 ± 1.2
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:1 (50.0%)
From: william dot martin at power-lan dot com Assigned:
Status: Closed Package: PHAR related
PHP Version: 5.4.15 OS: Linux
Private report: No CVE-ID:
 [2013-05-27 15:43 UTC] william dot martin at power-lan dot com
Description:
------------
The function phar_add_file start by test if we try to write something in the 
".phar" magic directory, but the test is in really : Does a filepath start by 
".phar" ?

So if you try to pack files likes ".pharignore", php throw an exception: "Error: 
Cannot create any files in magic ".phar" directory".

Test script:
---------------
<?php

touch(".pharignore");
$phar = new \Phar("foo.phar", 0, "foo.phar");
$phar->addFile(".pharignore", ".pharignore");


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-08-07 10:54 UTC] hanskrentel at yahoo dot de
According to the code, the error message is different to what the code does:

http://lxr.php.net/xref/PHP_5_4/ext/phar/phar_object.c#3708

The code checks if the filename starts with ".phar". The message says there would be a ".phar" directory (and that one is magic).

I don't know what is magic about ".phar". I guess the error message is not lying and it's about directory. And indeed one can find some more references to that string containing files like:

".phar/stub.php"
".phar/alias.txt"

A more proper check would probably to check for the sole string ".phar" (fixed length) or ".phar/" (for the start).

There are multiple places where the check is not done that consequently, for example as well in

http://lxr.php.net/xref/PHP_5_4/ext/phar/phar_object.c#3825

Taking the knowledge from those settings reveals the feature to create such files:

<?php
touch(".pharignore");
$phar = new \Phar("foo.phar", 0, "foo.phar");
$phar->addFile(".pharignore", "/.pharignore");
?>

This code creates the file ".pharignore" inside. It's also possible to add files inside the magic ".phar" folder for wich I'll create a new ticket.
 [2013-08-07 11:02 UTC] hanskrentel at yahoo dot de
The related bug is: Sec Bug #65414
 [2015-03-30 14:29 UTC] mike@php.net
Automatic comment on behalf of mike
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6480725007bdc5bab4f24ac481a4cb082074851d
Log: Fixed bug #64931
 [2015-03-30 14:29 UTC] mike@php.net
-Status: Open +Status: Closed
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Mon Feb 20 13:01:43 2017 UTC