php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77565 Incorrect locator detection in ZIP-based phars
Submitted: 2019-02-04 12:47 UTC Modified: -
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: tshumbeo at mailhouse dot biz Assigned:
Status: Open Package: PHAR related
PHP Version: 7.3.1 OS: Any
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: tshumbeo at mailhouse dot biz
New email:
PHP Version: OS:

 

 [2019-02-04 12:47 UTC] tshumbeo at mailhouse dot biz
Description:
------------
phar_parse_zipfile() is looking for the end of central directory (phar_zip_dir_end locator) by going from the file's beginning to the end, stopping at the first occurrence. Due to this, it may locate a sequence that looks like EOCD but is not one. Instead, it should go from the end of the file or, at very least, postpone decision about the locator until the entire stream is traversed, and use the last occurrence (which is in accordance with the spec).

As of now, Phar is unable to open a ZIP archive that contains another ZIP archive inside, or a similarly looking file, and is not deflated.

Test script:
---------------
# mkdir test
# cd test
# touch file
# zip 1.zip file
  adding: file (stored 0%)
# zip 2.zip 1.zip
  adding: 1.zip (stored 0%)
# php -r 'new PharData("1.zip"); echo "ok";'
ok
# php -r 'new PharData("2.zip");'
PHP Fatal error:  Uncaught UnexpectedValueException: phar error: corrupted central directory entry, no magic signature in zip-based phar "/tmp/test/2.zip" in Command line code:1



Patches

Add a Patch

Pull Requests

Add a Pull Request

 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sat Feb 23 00:01:25 2019 UTC