php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #79082 Files added to tar with Phar::buildFromIterator have all-access permissions
Submitted: 2020-01-08 17:42 UTC Modified: 2020-02-17 08:21 UTC
From: dr at loopia dot rs Assigned: stas (profile)
Status: Closed Package: PHAR related
PHP Version: 7.2.27 OS: Ubuntu 16.04.6 LTS
Private report: No CVE-ID: 2020-7063
 [2020-01-08 17:42 UTC] dr at loopia dot rs
Description:
------------
When using PharData::buildFromIterator() to create a Tar archive file permissions are not kept.

Same bug as #77022 but its triggered by using buildFromIterator. Making a new report  rather than comment on #77022 because #77022 was marked as "SEC BUG".

Even adding the same file with iterator and with addFile($file, 'new-name') will result in a tar archive with two files with different permissions.

Test script:
---------------
https://3v4l.org/qCPRH

<?php
var_dump(decoct(umask(22)));
$srcDir = '/tmp/files';
mkdir($srcDir);
foreach([1, 2] as $i){
	$file = tempnam($srcDir, 'test');
	printf("File$i - %o\n", stat($file)['mode']);
}
$phar = new \PharData('/tmp/test.tar', null, null, \Phar::TAR);
$phar->buildFromIterator(new \RecursiveDirectoryIterator($srcDir, \FilesystemIterator::SKIP_DOTS), $srcDir);

$phar->addFile($file, 'added-with-add-file');
$phar->extractTo('/tmp/pharFiles');

foreach(new \RecursiveDirectoryIterator('/tmp/pharFiles', \FilesystemIterator::SKIP_DOTS) as $iFile) {
	printf('From ' . ($iFile->getFilename() === 'added-with-add-file' ? 'addFile':'Iterator'). " - %o\n", $iFile->getPerms());
}


Expected result:
----------------
Files added to tar using PharData::buildFromIterator should keep the original permissions or respect the umask, same as files added by using PharData::addFile.

From addFile - 100600
From Iterator - 100600


Actual result:
--------------
Files added from iterator don't keep correct permissions

From addFile - 100600
From Iterator - 100666

Before #77022 was fixed
From addFile - 100666
From Iterator - 100666

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-02-16 06:00 UTC] stas@php.net
-PHP Version: 7.3.13 +PHP Version: 7.2.28 -CVE-ID: +CVE-ID: 2020-7063
 [2020-02-16 06:00 UTC] stas@php.net
-PHP Version: 7.2.28 +PHP Version: 7.2.27
 [2020-02-16 06:02 UTC] stas@php.net
-Summary: Files added to tar with Phar::buildFromIterator trigger bug #77022 +Summary: Files added to tar with Phar::buildFromIterator have all-access permissions
 [2020-02-16 06:18 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2020-02-16 06:18 UTC] stas@php.net
Patch in security repo as 9c4b2b282129f9f3b5aeea7a45bfeb5bdf8e321e and in https://gist.github.com/smalyshev/8e023915d57a986de3593a93b62f169a. Please verify.
 [2020-02-17 08:21 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e5c95234d87fcb8f6b7569a96a89d1e1544749a6
Log: Fix bug #79082 - Files added to tar with Phar::buildFromIterator have all-access permissions
 [2020-02-17 08:21 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2020-02-17 08:21 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6facfa59a5273a7084fabe13f215bb17215218c4
Log: Fix bug #79082 - Files added to tar with Phar::buildFromIterator have all-access permissions
 [2020-02-17 08:21 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=bbcb8cab8cdace25d481f2ade0539f75b0fa8c43
Log: Fix bug #79082 - Files added to tar with Phar::buildFromIterator have all-access permissions
 [2020-02-17 08:21 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=bcbc053dc1223e20954caf68b43aea2c64e339ad
Log: Fix bug #79082 - Files added to tar with Phar::buildFromIterator have all-access permissions
 [2020-02-17 09:54 UTC] dmitry@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=bbcb8cab8cdace25d481f2ade0539f75b0fa8c43
Log: Fix bug #79082 - Files added to tar with Phar::buildFromIterator have all-access permissions
 [2020-02-17 18:11 UTC] cmb@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e5c95234d87fcb8f6b7569a96a89d1e1544749a6
Log: Fix bug #79082 - Files added to tar with Phar::buildFromIterator have all-access permissions
 [2020-02-17 18:11 UTC] cmb@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6facfa59a5273a7084fabe13f215bb17215218c4
Log: Fix bug #79082 - Files added to tar with Phar::buildFromIterator have all-access permissions
 [2020-02-18 08:14 UTC] cmb@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2589f5bd83ff644d8345bb9c684fc4338435a3a3
Log: Fix bug #79082 - Files added to tar with Phar::buildFromIterator have all-access permissions
 [2020-02-18 10:16 UTC] derick@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ead40a66785aedaa393f953a0ed9224adaf040cd
Log: Fix bug #79082 - Files added to tar with Phar::buildFromIterator have all-access permissions
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Sun May 31 05:01:24 2020 UTC