php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #69536 Extracted ZipArchive archives have insecure permissions when extracted by OSX
Submitted: 2015-04-27 16:13 UTC Modified: 2015-05-05 14:57 UTC
Votes:5
Avg. Score:4.2 ± 0.7
Reproduced:5 of 5 (100.0%)
Same Version:3 (60.0%)
Same OS:4 (80.0%)
From: kevin dot cupp at ellislab dot com Assigned:
Status: Verified Package: Zip Related
PHP Version: 5.5.24 OS: OSX
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: kevin dot cupp at ellislab dot com
New email:
PHP Version: OS:

 

 [2015-04-27 16:13 UTC] kevin dot cupp at ellislab dot com
Description:
------------
In PHP 5.5 and above, ZipArchive is creating archives that, when extracted by OSX, have its folders permissions set to 777 and files set to 666. In PHP 5.4, everything defaults to 755. When using a third-party extractor, such as The Unarchiver for OSX, permissions are normal, so it is only a problem (to my knowledge) with OSX's native unarchiver.

It could be argued that since it's a problem with OSX's unarchiver, the ball is in their court. But since it works fine on archives created in <= 5.4, I'm wondering if something could be done on PHP's end to write its zips in a way that OSX's unarchiver will not misinterpret, as a lot of folks are creating zips with PHP and a lot of customers are extracting those zips on their Macs. I'm not expecting original permissions be retained, just that ZipArchive writes its archives in a way that allows OSX pick a more sane default again, like 755.

Test script:
---------------
$zip = new ZipArchive();
$zip->open('./test.zip', ZIPARCHIVE::CREATE);
$zip->addEmptyDir('archive');
$zip->addFile('./test.php', 'archive/test.php');
$zip->close();

Expected result:
----------------
I expect an archive to be created, that when extracted with OSX's native unarchiver, the files have a relatively secure default permission applied to them, as in PHP 5.4.

Actual result:
--------------
Extracted files have a permission of 666, folders are 777.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-04-29 20:37 UTC] cmb@php.net
A slight variation of the supplied test script to make the issue
more easily reproducible:

    $zip = new ZipArchive();
    $zip->open('69536.zip',ZipArchive::CREATE);
    $zip->addFromString('foo','bar');
    $zip->close();

Recent versions of PHP set the "version made by" (byte no.
0x2A-0x2B in the archives generated by the test script) to 0x1403,
whereas former PHP versions used 0x1400. 0x14 is the ZIP version,
0x00 means DOS, 0x03 means Unix. I suppose that's what makes the
difference for OS X's native unarchiver.
 [2015-05-05 14:57 UTC] cmb@php.net
-Status: Open +Status: Verified
 [2015-05-05 14:57 UTC] cmb@php.net
Just found the relevant entry in the changelog of libzip 0.11.2:

| For newly added files, set operating system to UNIX, permissions
| to 0666 (0777 for directories).
 [2018-11-23 08:40 UTC] peter dot achutha at gmail dot com
I am seeing this problem, ZipArchieve not working properly, in PHP versions 

7.3.0RC1	
7.2.10		
7.1.22		
7.0.32		
5.6.38		

ZipArchive is changing file permissions. All zipped files when unzipped have files permissions set to 0666 and directories set to 0777. The extracted PHP scripts cannot be executed. On some website I get "Error 500 - Internal Server Error" on others it is a similar message. When I change the permission to 0644 the PHP scripts run correctly.

Test Script
------------------
$zipArchive = new ZipArchive();
echo '<br>Destination ZIP: '.$zip_name.' <br>';
$return = $zipArchive->open($zip_name, ZIPARCHIVE::CREATE | ZIPARCHIVE::OVERWRITE );

if(  $return === TRUE)
	{
	//you can change the file names to what ever file you want to include in the zip
	$zipArchive->addFile('testmail.php', 'testmail.php');
	$zipArchive->addFile('testsendemail.php', 'testsendemail.php');
	$zipArchive->addFile('tmpX.txt', 'tmpX.txt');	
	$zipArchive->addFile('xmyreqdb.txt', 'xmyreqdb.txt');	
	} else {
	echo '<br>Failed Archive: '.$return;
	$stopemail = 'STOP';
	}
$ret = $zipArchive->close();
------------------

ZipArchive works for PHP versions:-
5.5.38		
5.4.45		
5.3.29		


So for now I cannot upgrade my site to a version of PHP higher than 5.5 because my zipped up PHP scripts, using a higher version of PHP, sent to customers fail to work when unzipped at their site. Suspect this is because the zip function sets the permission of the files being zipped to 0666 and directories to 0777 instead of copying the original permissions.

Please help fix this as soon as possible.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sun Feb 17 16:01:25 2019 UTC