|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #80833 ZipArchive::getStream doesn't use setPassword
Submitted: 2021-03-05 04:31 UTC Modified: 2021-03-30 13:00 UTC
Avg. Score:3.7 ± 0.9
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: admin at lithi dot io Assigned:
Status: Closed Package: zip (PECL)
PHP Version: 7.4 OS: Ubuntu 20.04 LTS
Private report: No CVE-ID: None
 [2021-03-05 04:31 UTC] admin at lithi dot io
I try to read the content of a ZIP archive entry with ZipArchive::getStream to put its content into a variable with fread().

The archive is protected by a password (EM_AES_256).

getStream() doesn't use setPassword() to provide a stream.

getStream() from a non-password protected archive works.
extractTo() from a password protected archive works.


Test script:
$create_zip = new ZipArchive();
$create_zip->open("", ZipArchive::CREATE);
$create_zip->addFromString("test.txt", "This is a test string.");
$create_zip->setEncryptionName("test.txt", ZipArchive::EM_AES_256);

$extract_zip = new ZipArchive();
$extract_zip->open("", ZipArchive::RDONLY);
$file_stream = $extract_zip->getStream("test.txt");
if (is_resource($file_stream)) {
    echo "OK".PHP_EOL;
} else {
    echo "NOT OK".PHP_EOL;

Expected result:

Actual result:


Add a Patch

Pull Requests

Pull requests:

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2021-03-05 04:34 UTC] admin at lithi dot io
Possibly a regression from #71665?
 [2021-03-05 10:49 UTC]
-Status: Open +Status: Verified -PHP Version: 8.0.3 +PHP Version: 7.4 -Assigned To: +Assigned To: cmb
 [2021-03-05 10:49 UTC]
Indeed, at least PHP 7.4 is affected by this as well.  The problem
is that we're internally open the archive again[1], but don't set
the password.

[1] <>
 [2021-03-05 13:13 UTC]
I am afraid this can't be fixed for any stable PHP version, due
to an inevitable ABI break.

The basic problem is that libzip offers no public API to get an
already set password, and struct zip is private.  Therefore we
would need to store the password in the ZipArchive object (i.e. in
ze_zip_object), but extending the existing struct would be an ABI
break, because putting the new member at the end of the struct
would not work since zend_object has variable size, and putting it
before the zend_object would break the offsetof retrieval.

Thus, the only way to allow to retrieve password protected files
as streams would be to add an additional optional $password
parameter to ::getStream(), which is a new feature, but may still
be covered by the self-contained feature exemption.

I should also point out that bug #71665 never had been fixed wrt.
::getStream(); this likely has been confused with the general
support for encrypted archives in PHP 7.2.0.
 [2021-03-05 13:29 UTC]
The following pull request has been associated:

Patch Name: Fix #80833: ZipArchive::getStream doesn't use setPassword
On GitHub:
 [2021-03-30 13:00 UTC]
-Assigned To: cmb +Assigned To:
 [2021-08-12 06:05 UTC]
The following pull request has been associated:

Patch Name: Fix #80833 ZipArchive::getStream doesn't use setPassword
On GitHub:
 [2021-09-01 13:52 UTC]
Automatic comment on behalf of remicollet
Log: Fix #80833 ZipArchive::getStream doesn't use setPassword
 [2021-09-01 13:52 UTC]
-Status: Verified +Status: Closed
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Mar 02 01:01:28 2024 UTC