php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77565 Incorrect locator detection in ZIP-based phars
Submitted: 2019-02-04 12:47 UTC Modified: 2020-12-11 14:35 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: tshumbeo at mailhouse dot biz Assigned: cmb (profile)
Status: Closed Package: PHAR related
PHP Version: 7.3.1 OS: Any
Private report: No CVE-ID: None
 [2019-02-04 12:47 UTC] tshumbeo at mailhouse dot biz
Description:
------------
phar_parse_zipfile() is looking for the end of central directory (phar_zip_dir_end locator) by going from the file's beginning to the end, stopping at the first occurrence. Due to this, it may locate a sequence that looks like EOCD but is not one. Instead, it should go from the end of the file or, at very least, postpone decision about the locator until the entire stream is traversed, and use the last occurrence (which is in accordance with the spec).

As of now, Phar is unable to open a ZIP archive that contains another ZIP archive inside, or a similarly looking file, and is not deflated.

Test script:
---------------
# mkdir test
# cd test
# touch file
# zip 1.zip file
  adding: file (stored 0%)
# zip 2.zip 1.zip
  adding: 1.zip (stored 0%)
# php -r 'new PharData("1.zip"); echo "ok";'
ok
# php -r 'new PharData("2.zip");'
PHP Fatal error:  Uncaught UnexpectedValueException: phar error: corrupted central directory entry, no magic signature in zip-based phar "/tmp/test/2.zip" in Command line code:1



Patches

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-12-11 14:35 UTC] cmb@php.net
-Status: Open +Status: Verified -Assigned To: +Assigned To: cmb
 [2020-12-11 14:36 UTC] cmb@php.net
The following pull request has been associated:

Patch Name: Fix #77565: Incorrect locator detection in ZIP-based phars
On GitHub:  https://github.com/php/php-src/pull/6507
Patch:      https://github.com/php/php-src/pull/6507.patch
 [2021-01-05 22:47 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d1b1c043988277b7c0d46ec7c953418cbfbb2608
Log: Fix #77565: Incorrect locator detection in ZIP-based phars
 [2021-01-05 22:47 UTC] cmb@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Dec 08 15:01:28 2024 UTC