-
Notifications
You must be signed in to change notification settings - Fork 3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Summary:Don't allow upward directory traversal when extracting zip archive files. Files in zip files with `..` or starting at main root `/` should be normalized to something where the file being extracted winds up within the directory or a subdirectory where the actual extraction is taking place. http://git.php.net/?p=php-src.git;a=commit;h=f9c2bf73adb2ede0a486b0db466c264f2b27e0bb Reviewed By: FBNeal Differential Revision: D2798452 fb-gh-sync-id: 844549c93e011d1e991bb322bf85822246b04e30 shipit-source-id: 844549c93e011d1e991bb322bf85822246b04e30
- Loading branch information
Showing
5 changed files
with
259 additions
and
8 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
57 changes: 57 additions & 0 deletions
57
hphp/test/slow/ext_zlib/ziparchive_extractto_directory.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
<?php | ||
$dir = tempnam(sys_get_temp_dir(), __FILE__); | ||
unlink($dir); | ||
mkdir($dir); | ||
$archive = new ZipArchive(); | ||
$archive->open("$dir/a.zip",ZipArchive::CREATE); | ||
$archive->addEmptyDir("../dir1/"); | ||
$archive->addEmptyDir("/var/www/dir2/"); | ||
$archive->addEmptyDir("a/b/../../../dir3"); | ||
$archive->addEmptyDir("a/b/../dir4/"); | ||
$archive->addEmptyDir("a/b/../c/../../d/dir5/"); | ||
$archive->addEmptyDir("./dir6"); | ||
$archive->addEmptyDir("x/y/dir7/.."); | ||
$archive->addEmptyDir("z/dir8/."); | ||
$archive->addEmptyDir("simple"); | ||
$archive->close(); | ||
$archive2 = new ZipArchive(); | ||
$archive2->open("$dir/a.zip"); | ||
$archive2->extractTo($dir); | ||
$archive2->close(); | ||
var_dump(file_exists("$dir/dir1/")); // true | ||
var_dump(file_exists("../dir1/")); // false | ||
var_dump(file_exists("$dir/var/www/dir2")); // true | ||
var_dump(file_exists("/var/www/dir2/")); // false | ||
var_dump(file_exists("$dir/dir3/")); // true | ||
var_dump(file_exists("a/b/../../../dir3/")); // false | ||
var_dump(file_exists("$dir/a/dir4/")); // true | ||
var_dump(file_exists("a/b/../dir4/")); // false | ||
var_dump(file_exists("$dir/d/dir5/")); // true | ||
var_dump(file_exists("a/b/../c/../../d/dir5/")); // false | ||
var_dump(file_exists("$dir/dir6")); // true | ||
var_dump(file_exists("./dir6")); // false | ||
var_dump(file_exists("$dir/x/y/")); // true | ||
var_dump(file_exists("x/y/dir7/..")); // false | ||
var_dump(file_exists("$dir/z/dir8")); // true | ||
var_dump(file_exists("z/dir8/.")); // false | ||
var_dump(file_exists("$dir/simple")); // true | ||
var_dump(file_exists("simple")); // false | ||
|
||
// Cleanup. Also verifies that everything is where it is supposed to be. | ||
rmdir("$dir/dir1"); | ||
rmdir("$dir/var/www/dir2"); | ||
rmdir("$dir/var/www"); | ||
rmdir("$dir/var"); | ||
rmdir("$dir/dir3"); | ||
rmdir("$dir/a/dir4"); | ||
rmdir("$dir/a"); | ||
rmdir("$dir/d/dir5"); | ||
rmdir("$dir/d"); | ||
rmdir("$dir/dir6"); | ||
rmdir("$dir/x/y"); | ||
rmdir("$dir/x"); | ||
rmdir("$dir/z/dir8"); | ||
rmdir("$dir/z"); | ||
rmdir("$dir/simple"); | ||
unlink("$dir/a.zip"); | ||
rmdir($dir); |
18 changes: 18 additions & 0 deletions
18
hphp/test/slow/ext_zlib/ziparchive_extractto_directory.php.expect
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
bool(true) | ||
bool(false) | ||
bool(true) | ||
bool(false) | ||
bool(true) | ||
bool(false) | ||
bool(true) | ||
bool(false) | ||
bool(true) | ||
bool(false) | ||
bool(true) | ||
bool(false) | ||
bool(true) | ||
bool(false) | ||
bool(true) | ||
bool(false) | ||
bool(true) | ||
bool(false) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,75 @@ | ||
<?php | ||
$str = 'temp'; | ||
$dir = tempnam(sys_get_temp_dir(), __FILE__); | ||
unlink($dir); | ||
mkdir($dir); | ||
$archive = new ZipArchive(); | ||
$archive->open("$dir/a.zip",ZipArchive::CREATE); | ||
$archive->addFromString("../dir1/A.txt", $str); | ||
$archive->addFromString("/var/www/dir2/B", $str); | ||
$archive->addFromString("a/b/../../../dir3/C.txt.other", $str); | ||
$archive->addFromString("a/b/../dir4/D.not.a.file/D.a.file", $str); | ||
$archive->addFromString("a/b/../c/../../d/dir5/E", $str); | ||
$archive->addFromString("./dir6/F.exe", $str); | ||
$archive->addFromString("./G.txt", $str); | ||
$archive->addFromString("H.txt", $str); | ||
$archive->addFromString("x/y/dir7/../I.txt", $str); | ||
$archive->addFromString("z/dir8/./J.txt", $str); | ||
$archive->addFromString("SIMPLE.txt", $str); | ||
$archive->close(); | ||
$archive2 = new ZipArchive(); | ||
$archive2->open("$dir/a.zip"); | ||
$archive2->extractTo($dir); | ||
$archive2->close(); | ||
var_dump(file_exists("$dir/dir1/A.txt")); // true | ||
var_dump(file_exists("../dir1/A.txt")); // false | ||
var_dump(file_exists("$dir/var/www/dir2/B")); // true | ||
var_dump(file_exists("/var/www/dir2/B")); // false | ||
var_dump(file_exists("$dir/dir3/C.txt.other")); // true | ||
var_dump(file_exists("a/b/../../../dir3/C.txt.other")); // false | ||
var_dump(file_exists("$dir/a/dir4/D.not.a.file/D.a.file")); // true | ||
var_dump(file_exists("a/b/../dir4/D.not.a.file/D.a.file")); // false | ||
var_dump(file_exists("$dir/d/dir5/E")); // true | ||
var_dump(file_exists("a/b/../c/../../d/dir5/E")); // false | ||
var_dump(file_exists("$dir/dir6/F.exe")); // true | ||
var_dump(file_exists("./dir6/F.exe")); // false | ||
var_dump(file_exists("$dir/G.txt")); // true | ||
var_dump(file_exists("./G.txt")); // false | ||
var_dump(file_exists("$dir/H.txt")); // true | ||
var_dump(file_exists("H.txt")); // false | ||
var_dump(file_exists("$dir/x/y/I.txt")); // true | ||
var_dump(file_exists("x/y/dir7/../I.txt")); // false | ||
var_dump(file_exists("$dir/z/dir8/J.txt")); // true | ||
var_dump(file_exists("z/dir8/./J.txt")); // false | ||
var_dump(file_exists("$dir/SIMPLE.txt")); // true | ||
var_dump(file_exists("SIMPLE.txt")); // false | ||
|
||
// Cleanup. Also verifies that everything is where it is supposed to be. | ||
unlink("$dir/dir1/A.txt"); | ||
rmdir("$dir/dir1"); | ||
unlink("$dir/var/www/dir2/B"); | ||
rmdir("$dir/var/www/dir2"); | ||
rmdir("$dir/var/www"); | ||
rmdir("$dir/var"); | ||
unlink("$dir/dir3/C.txt.other"); | ||
rmdir("$dir/dir3"); | ||
unlink("$dir/a/dir4/D.not.a.file/D.a.file"); | ||
rmdir("$dir/a/dir4/D.not.a.file"); | ||
rmdir("$dir/a/dir4"); | ||
rmdir("$dir/a"); | ||
unlink("$dir/d/dir5/E"); | ||
rmdir("$dir/d/dir5"); | ||
rmdir("$dir/d"); | ||
unlink("$dir/dir6/F.exe"); | ||
rmdir("$dir/dir6"); | ||
unlink("$dir/x/y/I.txt"); | ||
rmdir("$dir/x/y"); | ||
rmdir("$dir/x"); | ||
unlink("$dir/z/dir8/J.txt"); | ||
rmdir("$dir/z/dir8"); | ||
rmdir("$dir/z"); | ||
unlink("$dir/G.txt"); | ||
unlink("$dir/H.txt"); | ||
unlink("$dir/a.zip"); | ||
unlink("$dir/SIMPLE.txt"); | ||
rmdir($dir); |
22 changes: 22 additions & 0 deletions
22
hphp/test/slow/ext_zlib/ziparchive_extractto_file.php.expect
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
bool(true) | ||
bool(false) | ||
bool(true) | ||
bool(false) | ||
bool(true) | ||
bool(false) | ||
bool(true) | ||
bool(false) | ||
bool(true) | ||
bool(false) | ||
bool(true) | ||
bool(false) | ||
bool(true) | ||
bool(false) | ||
bool(true) | ||
bool(false) | ||
bool(true) | ||
bool(false) | ||
bool(true) | ||
bool(false) | ||
bool(true) | ||
bool(false) |