|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77565 Incorrect locator detection in ZIP-based phars
Submitted: 2019-02-04 12:47 UTC Modified: 2020-12-11 14:35 UTC
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: tshumbeo at mailhouse dot biz Assigned: cmb (profile)
Status: Closed Package: PHAR related
PHP Version: 7.3.1 OS: Any
Private report: No CVE-ID: None
 [2019-02-04 12:47 UTC] tshumbeo at mailhouse dot biz
phar_parse_zipfile() is looking for the end of central directory (phar_zip_dir_end locator) by going from the file's beginning to the end, stopping at the first occurrence. Due to this, it may locate a sequence that looks like EOCD but is not one. Instead, it should go from the end of the file or, at very least, postpone decision about the locator until the entire stream is traversed, and use the last occurrence (which is in accordance with the spec).

As of now, Phar is unable to open a ZIP archive that contains another ZIP archive inside, or a similarly looking file, and is not deflated.

Test script:
# mkdir test
# cd test
# touch file
# zip file
  adding: file (stored 0%)
# zip
  adding: (stored 0%)
# php -r 'new PharData(""); echo "ok";'
# php -r 'new PharData("");'
PHP Fatal error:  Uncaught UnexpectedValueException: phar error: corrupted central directory entry, no magic signature in zip-based phar "/tmp/test/" in Command line code:1


Add a Patch

Pull Requests

Pull requests:

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2020-12-11 14:35 UTC]
-Status: Open +Status: Verified -Assigned To: +Assigned To: cmb
 [2020-12-11 14:36 UTC]
The following pull request has been associated:

Patch Name: Fix #77565: Incorrect locator detection in ZIP-based phars
On GitHub:
 [2021-01-05 22:47 UTC]
Automatic comment on behalf of
Log: Fix #77565: Incorrect locator detection in ZIP-based phars
 [2021-01-05 22:47 UTC]
-Status: Verified +Status: Closed
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Jun 17 00:01:29 2024 UTC