|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #64931 phar_add_file is too restrive on filename
Submitted: 2013-05-27 15:43 UTC Modified: -
Avg. Score:3.3 ± 1.2
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:1 (50.0%)
From: william dot martin at power-lan dot com Assigned:
Status: Closed Package: PHAR related
PHP Version: 5.4.15 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
Solve the problem:
23 - 14 = ?
Subscribe to this entry?

 [2013-05-27 15:43 UTC] william dot martin at power-lan dot com
The function phar_add_file start by test if we try to write something in the 
".phar" magic directory, but the test is in really : Does a filepath start by 
".phar" ?

So if you try to pack files likes ".pharignore", php throw an exception: "Error: 
Cannot create any files in magic ".phar" directory".

Test script:

$phar = new \Phar("foo.phar", 0, "foo.phar");
$phar->addFile(".pharignore", ".pharignore");


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2013-08-07 10:54 UTC] hanskrentel at yahoo dot de
According to the code, the error message is different to what the code does:

The code checks if the filename starts with ".phar". The message says there would be a ".phar" directory (and that one is magic).

I don't know what is magic about ".phar". I guess the error message is not lying and it's about directory. And indeed one can find some more references to that string containing files like:


A more proper check would probably to check for the sole string ".phar" (fixed length) or ".phar/" (for the start).

There are multiple places where the check is not done that consequently, for example as well in

Taking the knowledge from those settings reveals the feature to create such files:

$phar = new \Phar("foo.phar", 0, "foo.phar");
$phar->addFile(".pharignore", "/.pharignore");

This code creates the file ".pharignore" inside. It's also possible to add files inside the magic ".phar" folder for wich I'll create a new ticket.
 [2013-08-07 11:02 UTC] hanskrentel at yahoo dot de
The related bug is: Sec Bug #65414
 [2015-03-30 14:29 UTC]
Automatic comment on behalf of mike
Log: Fixed bug #64931
 [2015-03-30 14:29 UTC]
-Status: Open +Status: Closed
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun May 26 09:01:32 2024 UTC