Patch fix-73910 for Zip Related Bug #73910

Patch version 2017-01-12 01:05 UTC

• 2017-01-12 01:05 UTC [diff to current]

Developer: cmb@php.net

From 6f68aed63e95919aedf6a37422b7a4dbba4ab567 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Thu, 12 Jan 2017 01:56:21 +0100
Subject: [PATCH] Fix #73910: Missing null byte checks for paths in
 ZipArchive::extractTo

ZPP should expect a `p` instead of an `s` here.
---
 ext/zip/php_zip.c           |  2 +-
 ext/zip/tests/bug73910.phpt | 43 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 44 insertions(+), 1 deletion(-)
 create mode 100644 ext/zip/tests/bug73910.phpt

diff --git a/ext/zip/php_zip.c b/ext/zip/php_zip.c
index 9f2b376..52f058c 100644
--- a/ext/zip/php_zip.c
+++ b/ext/zip/php_zip.c
@@ -2662,7 +2662,7 @@ static ZIPARCHIVE_METHOD(extractTo)
 		RETURN_FALSE;
 	}
 
-	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|z", &pathto, &pathto_len, &zval_files) == FAILURE) {
+	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|z", &pathto, &pathto_len, &zval_files) == FAILURE) {
 		return;
 	}
 
diff --git a/ext/zip/tests/bug73910.phpt b/ext/zip/tests/bug73910.phpt
new file mode 100644
index 0000000..3804fb3
--- /dev/null
+++ b/ext/zip/tests/bug73910.phpt
@@ -0,0 +1,43 @@
+--TEST--
+Bug #73910 (Missing null byte checks for paths in ZipArchive::extractTo)
+--SKIPIF--
+<?php
+if (!extension_loaded('zip')) die('skip zip extension not available');
+?>
+--FILE--
+<?php
+$dirname = __DIR__ . DIRECTORY_SEPARATOR . '73910';
+
+// create a ZIP to test the extraction
+$zip = new ZipArchive();
+$zip->open("$dirname.zip", ZipArchive::CREATE);
+$zip->addFromString('foo', 'bar');
+$zip->close();
+
+// create the directory to extract to
+if (!is_dir("$dirname/sub")) {
+    mkdir("$dirname/sub", 0777, true);
+}
+
+// try to extract the archive to a path containing a NUL byte
+$zip = new ZipArchive();
+$zip->open("$dirname.zip");
+$zip->extractTo("$dirname/\0sub");
+$zip->close();
+
+// did we extract to the parent dir?
+var_dump(file_exists("$dirname/foo"));
+?>
+===DONE===
+--EXPECTF--
+Warning: ZipArchive::extractTo() expects parameter 1 to be a valid path, string given in %s on line %d
+bool(false)
+===DONE===
+--CLEAN--
+<?php
+$dirname = __DIR__ . DIRECTORY_SEPARATOR . '73910';
+unlink("$dirname.zip");
+unlink("$dirname/foo");
+rmdir("$dirname/sub");
+rmdir("$dirname");
+?>
-- 
2.10.2.windows.1