php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #66321 PHP ZipArchive::open() ze_obj->filename_len not real
Submitted: 2013-12-19 07:00 UTC Modified: 2016-05-14 15:15 UTC
From: cyg0x7 at gmail dot com Assigned: remi
Status: Closed Package: Zip Related
PHP Version: 5.4.23 OS: Linux
Private report: No CVE-ID:
 [2013-12-19 07:00 UTC] cyg0x7 at gmail dot com
Description:
------------
the PHP function ZipArchive::open() use 'filename_len' from parmeter as ze_obj->filename's length( ze_obj->filename_len ),called the function expand_filepath the resolved_path's length may less than filename's length。Although there was not where to use ze_obj->filename_len at present, i think it was a security risk, maybe someday.
=============================================
	if (!expand_filepath(filename, resolved_path TSRMLS_CC)) {
		RETURN_FALSE;
	}

	if (ze_obj->za) {
		/* we already have an opened zip, free it */
		if (zip_close(ze_obj->za) != 0) {
			_zip_free(ze_obj->za);
		}
		ze_obj->za = NULL;
	}
	if (ze_obj->filename) {
		efree(ze_obj->filename);
		ze_obj->filename = NULL;
	}

	intern = zip_open(resolved_path, flags, &err);
	if (!intern || err) {
		RETURN_LONG((long)err);
	}
	ze_obj->filename = estrdup(resolved_path); // here is use resolved_path as filename
	ze_obj->filename_len = filename_len;    // but here is use len from args
	ze_obj->za = intern;
	RETURN_TRUE;


Test script:
---------------
<?php
$zip = new ZipArchive;
$fn = "/../../../../root/test.zip";
#var_dump( $fn );
$res = $zip->open($fn);
if ($res === TRUE) {
    echo 'ok';
    $zip->extractTo('test');
    $zip->close();
} else {
    echo 'failed, code:' . $res;
}
?>



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-12-19 10:00 UTC] remi@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: remi
 [2013-12-19 10:00 UTC] remi@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

While I really there is no security issue with this minor bug, it is now fixed.

https://github.com/pierrejoye/php_zip/commit/f6ecd5930f6b2d4c7091a37f1b466072c564c31b

The fix will be in 5.4.24 and 5.5.8
 [2016-05-14 15:15 UTC] kaplan@php.net
Make the bug as public.
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC