|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #66321 PHP ZipArchive::open() ze_obj->filename_len not real
Submitted: 2013-12-19 07:00 UTC Modified: 2016-05-14 15:15 UTC
From: cyg0x7 at gmail dot com Assigned: remi (profile)
Status: Closed Package: Zip Related
PHP Version: 5.4.23 OS: Linux
Private report: No CVE-ID: None
 [2013-12-19 07:00 UTC] cyg0x7 at gmail dot com
the PHP function ZipArchive::open() use 'filename_len' from parmeter as ze_obj->filename's length( ze_obj->filename_len ),called the function expand_filepath the resolved_path's length may less than filename's length。Although there was not where to use ze_obj->filename_len at present, i think it was a security risk, maybe someday.
	if (!expand_filepath(filename, resolved_path TSRMLS_CC)) {

	if (ze_obj->za) {
		/* we already have an opened zip, free it */
		if (zip_close(ze_obj->za) != 0) {
		ze_obj->za = NULL;
	if (ze_obj->filename) {
		ze_obj->filename = NULL;

	intern = zip_open(resolved_path, flags, &err);
	if (!intern || err) {
	ze_obj->filename = estrdup(resolved_path); // here is use resolved_path as filename
	ze_obj->filename_len = filename_len;    // but here is use len from args
	ze_obj->za = intern;

Test script:
$zip = new ZipArchive;
$fn = "/../../../../root/";
#var_dump( $fn );
$res = $zip->open($fn);
if ($res === TRUE) {
    echo 'ok';
} else {
    echo 'failed, code:' . $res;


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2013-12-19 10:00 UTC]
-Status: Open +Status: Closed -Assigned To: +Assigned To: remi
 [2013-12-19 10:00 UTC]
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at

 For Windows:
Thank you for the report, and for helping us make PHP better.

While I really there is no security issue with this minor bug, it is now fixed.

The fix will be in 5.4.24 and 5.5.8
 [2016-05-14 15:15 UTC]
Make the bug as public.
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Wed Sep 27 06:01:24 2023 UTC