|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77565 Incorrect locator detection in ZIP-based phars
Submitted: 2019-02-04 12:47 UTC Modified: 2020-12-11 14:35 UTC
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: tshumbeo at mailhouse dot biz Assigned: cmb (profile)
Status: Closed Package: PHAR related
PHP Version: 7.3.1 OS: Any
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
Solve the problem:
23 - 1 = ?
Subscribe to this entry?

 [2019-02-04 12:47 UTC] tshumbeo at mailhouse dot biz
phar_parse_zipfile() is looking for the end of central directory (phar_zip_dir_end locator) by going from the file's beginning to the end, stopping at the first occurrence. Due to this, it may locate a sequence that looks like EOCD but is not one. Instead, it should go from the end of the file or, at very least, postpone decision about the locator until the entire stream is traversed, and use the last occurrence (which is in accordance with the spec).

As of now, Phar is unable to open a ZIP archive that contains another ZIP archive inside, or a similarly looking file, and is not deflated.

Test script:
# mkdir test
# cd test
# touch file
# zip file
  adding: file (stored 0%)
# zip
  adding: (stored 0%)
# php -r 'new PharData(""); echo "ok";'
# php -r 'new PharData("");'
PHP Fatal error:  Uncaught UnexpectedValueException: phar error: corrupted central directory entry, no magic signature in zip-based phar "/tmp/test/" in Command line code:1


Add a Patch

Pull Requests

Pull requests:

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2020-12-11 14:35 UTC]
-Status: Open +Status: Verified -Assigned To: +Assigned To: cmb
 [2020-12-11 14:36 UTC]
The following pull request has been associated:

Patch Name: Fix #77565: Incorrect locator detection in ZIP-based phars
On GitHub:
 [2021-01-05 22:47 UTC]
Automatic comment on behalf of
Log: Fix #77565: Incorrect locator detection in ZIP-based phars
 [2021-01-05 22:47 UTC]
-Status: Verified +Status: Closed
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Mon Feb 06 04:04:08 2023 UTC