[2013-08-07 11:01 UTC] hanskrentel at yahoo dot de
Description:
------------
The checks to add files or strings as files to a .phar file into the magic .phar directory do not prevent creating files within that directory.
This is because those checks (at different places) do not check if the path is actually into that .phar directory or not.
The filename (pathname) is not normalized prior the access check.
This allows to easily circumvent the access control and create files therein.
I run over this while reviewing Bug #64931 and the workaround there is the exploit here (pre-fixing the filename (pathname)).
Test script:
---------------
<?php
$phar = new \Phar("foo.phar", 0, "foo.phar");
$phar->addFromString('/.phar/how-unicorns-shit_-_the-complete-guide.txt', "
How Unicorns Shit
---
The Complete Guide
It's all based on the color magic
of the rainbow. You know, even
unicorns just cook with water.
Just heat some water until it
boils and the steam gets up
into the sunlight. With some
luck you will see a rainbow.
Just try with the right amount of
steam and the right amount of
light and the right angle to
watch into.");
var_dump(file_get_contents('phar://' . __DIR__ . '/foo.phar/.phar/how-unicorns-shit_-_the-complete-guide.txt'));
Expected result:
----------------
Fatal error: Uncaught exception 'BadMethodCallException' with message 'Cannot create any files in magic ".phar" directory'
Actual result:
--------------
string(383) "
How Unicorns Shit
---
The Complete Guide
It's all based on the color magic
of the rainbow. You know, even
unicorns just cook with water.
Just heat some water until it
boils and the steam gets up
into the sunlight. With some
luck you will see a rainbow.
Just try with the right amount of
steam and the right amount of
light and the right angle to
watch into."