Skip to content
Permalink
Browse files Browse the repository at this point in the history
[security] Fixed issue #13960: vulnerabilities in file upload functio…
…nality
  • Loading branch information
LouisGac committed Aug 16, 2018
1 parent 3d4865b commit 20fc85e
Show file tree
Hide file tree
Showing 2 changed files with 45 additions and 1 deletion.
37 changes: 37 additions & 0 deletions application/helpers/common_helper.php
Expand Up @@ -4960,3 +4960,40 @@ function isAssociativeArray($array){
}
return false;
}

/**
* Test if a given zip file is Zip Bomb
* see comment here : http://php.net/manual/en/function.zip-entry-filesize.php
* @param string $zip_filename
* @return int
*/
function isZipBomb($zip_filename)
{
return ( get_zip_originalsize($zip_filename) > getMaximumFileUploadSize() );
}

/**
* Get the original size of a zip archive to prevent Zip Bombing
* see comment here : http://php.net/manual/en/function.zip-entry-filesize.php
* @param string $filename
* @return int
*/
function get_zip_originalsize($filename) {

if ( function_exists ('zip_entry_filesize') ){
$size = 0;
$resource = zip_open($filename);
while ($dir_resource = zip_read($resource)) {
$size += zip_entry_filesize($dir_resource);
}
zip_close($resource);

return $size;
}else{
if ( YII_DEBUG ){
Yii::app()->setFlashMessage(gT("Warning! php zip extension is not installed on your server. You're not protected from Zip Bomb attaacks."), 'error');
}
}

return -1;
}
9 changes: 8 additions & 1 deletion application/third_party/pclzip/pclzip.lib.php
Expand Up @@ -221,6 +221,13 @@ public function __construct($p_zipname)
die('Abort '.basename(__FILE__).' : Missing zlib extensions');
}


// Added by LS Team to prevent Zip Bombing
if (isZipBomb($p_zipname)){
die('Abort '.basename(__FILE__).' : Unzipped file is superior to upload_max_filesize or to post_max_size');
}


// ----- Set the attributes
$this->zipname = $p_zipname;
$this->zip_fd = 0;
Expand Down Expand Up @@ -3670,7 +3677,7 @@ function privExtractFile(&$p_entry, $p_path, $p_remove_path, $p_remove_all_path,
}

// Added by LS Team to check for invalid paths
$p_entry['filename'] = get_absolute_path($p_entry['filename']);
$p_entry['filename'] = get_absolute_path($p_entry['filename']);

// ----- Add the path
if ($p_path != '') {
Expand Down

0 comments on commit 20fc85e

Please sign in to comment.