php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #70350 ZipArchive::extractTo allows for directory traversal when creating directories
Submitted: 2015-08-25 04:36 UTC Modified: 2016-03-21 08:15 UTC
From: neal at fb dot com Assigned: stas (profile)
Status: Closed Package: zip (PECL)
PHP Version: 5.6.12 OS: N/A
Private report: No CVE-ID: 2014-9767
 [2015-08-25 04:36 UTC] neal at fb dot com
Description:
------------
This issue is somewhat similar to http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5658 but more limited: it only allows you to create new directories, not files.

Inside php_zip.c there's a function called php_zip_make_relative_path which is used to sanitize the file path when extracting a file/directory from a ZIP. When extracting a file the sanitized pathname is used, so files are only created inside of the directory where they're being extracted. However, for directories, the unsanitized/user-provided "file" value is used instead of the sanitized"path_cleaned" value (https://github.com/php/php-src/blob/026b41ba664bd8f76d6d201d7af8e70c8b650194/ext/zip/php_zip.c#L172-L176). As a result, a directory can be created outside of the directory where a ZIP file is being extracted.

Compared to CVE-2008-5658 this is a much more minor issue since it is limited to the creation of directories rather than files. This issue appears to have been previously reported as #67996 but was closed as not a bug.

Test script:
---------------
<?php
$archive = new ZipArchive();
$archive->open('a.zip',ZipArchive::CREATE);
$archive->addEmptyDir("../down2/");
$archive->close();

$archive2 = new ZipArchive();
$archive2->open('a.zip');
$archive2->extractTo('.');
$archive2->close();

Expected result:
----------------
A directory called down2 is created inside of .

Actual result:
--------------
A directory called down2 is created inside of the parent directory.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-09-01 19:13 UTC] stas@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: stas
 [2015-09-01 19:13 UTC] stas@php.net
Fixed in git.
 [2015-09-02 08:29 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f9c2bf73adb2ede0a486b0db466c264f2b27e0bb
Log: Fixed bug #70350: ZipArchive::extractTo allows for directory traversal when creating directories
 [2015-09-03 18:10 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f9c2bf73adb2ede0a486b0db466c264f2b27e0bb
Log: Fixed bug #70350: ZipArchive::extractTo allows for directory traversal when creating directories
 [2016-03-20 06:36 UTC] kaplan@php.net
-CVE-ID: +CVE-ID: 2014-9767
 [2016-03-20 06:36 UTC] kaplan@php.net
From CVE assign response:

Use CVE-2014-9767 for this issue that was apparently disclosed in
https://bugs.php.net/bug.php?id=67996 in 2014. The issue could be
relevant in cases where, for example:

  - a parent directory is on a filesystem that can't support many
    inodes, and the attacker can cause a DoS by creating thousands of
    empty directories there

  - a parent directory is served by the web server and allows a full
    directory listing, and the attacker can therefore post spam in the
    form of directory names
 [2016-03-21 05:13 UTC] stas@php.net
I am confused as to why this really needs a CVE. Also, since CVE-2014-9767 seems to have no content since 2014, I wonder whether it is meaningful to assign it at all.
 [2016-03-21 08:15 UTC] kaplan@php.net
We can ask them to update the content. The trigger for the assignment was a similar fix by HHVM and then a CVE request by Debian.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Nov 24 00:01:27 2024 UTC