Skip to content
Permalink
Browse files Browse the repository at this point in the history
update
  • Loading branch information
bobimicroweber committed Nov 4, 2020
1 parent b32114f commit 777ee9c
Show file tree
Hide file tree
Showing 2 changed files with 28 additions and 3 deletions.
30 changes: 27 additions & 3 deletions src/MicroweberPackages/Utils/Zip/Unzip.php
Expand Up @@ -82,14 +82,19 @@ public function extract($zip_file, $target_dir = null, $preserve_filepath = true
}

} else if (function_exists('gzinflate')) {

if (!$files = $this->_list_files()) {
$this->set_error('ZIP folder was empty.');

return false;
}

$file_locations = array();
foreach ($files as $file => $trash) {

if (strpos($file,'..') !== false) {
continue;
}

$dirname = pathinfo($file, PATHINFO_DIRNAME);
$extension = (pathinfo($file, PATHINFO_EXTENSION));

Expand Down Expand Up @@ -205,12 +210,17 @@ public function native_unzip($zip_file, $target_dir = null, $preserve_filepath =
$name = dirname($name);
$is_dir_there = $target_dir . $name;

if (strpos($is_dir_there,'..') !== false) {
continue;
}

if ($name != '.') {
$dirs_tree[] = $is_dir_there;

}

}

$dirs_tree = array_unique($dirs_tree);

foreach ($dirs_tree as $item) {
Expand Down Expand Up @@ -238,6 +248,11 @@ public function native_unzip($zip_file, $target_dir = null, $preserve_filepath =
$size = zip_entry_filesize($entry);
$name = zip_entry_name($entry);
$target_file_to_save = normalize_path($target_dir . $name, false);

if (strpos($target_file_to_save,'..') !== false) {
continue;
}

$target_file_to_save_dir = dirname($target_file_to_save);
if(!is_dir($target_file_to_save_dir)){
mkdir_recursive($target_file_to_save_dir);
Expand All @@ -263,8 +278,9 @@ public function native_unzip($zip_file, $target_dir = null, $preserve_filepath =
}
zip_close($archive);
}

return $file_locations;
if (!empty($file_locations)) {
$file_locations = array_unique($file_locations);
}
}

return $file_locations;
Expand Down Expand Up @@ -569,6 +585,14 @@ private function _load_files_by_signatures(&$fh, $stop_on_file = false)
*/
private function _extract_file($compressed_file_name, $target_file_name = false, $underscore_case = false)
{
if (strpos($target_file_name,'..') !== false) {
return false;
}

if (strpos($compressed_file_name,'..') !== false) {
return false;
}

if (!sizeof($this->compressed_list)) {
$this->set_debug('Trying to unzip before loading file list... Loading it!');
$this->_list_files(false, $compressed_file_name);
Expand Down
1 change: 1 addition & 0 deletions userfiles/modules/admin/backup_v2/css/style.css
Expand Up @@ -140,6 +140,7 @@
border-radius: 4px;
margin-top: 15px;
margin-bottom: 15px;
overflow-y: scroll;
}

.js-export-log:empty {
Expand Down

0 comments on commit 777ee9c

Please sign in to comment.