Skip to content

Commit

Permalink
Merge pull request #214 from nextcloud/dependabot/composer/stable15/p…
Browse files Browse the repository at this point in the history 
…ear/archive_tar-1.4.5

[stable15] [Security] Bump pear/archive_tar from 1.4.3 to 1.4.5
  • Loading branch information
@rullzer
rullzer committed Jan 15, 2019
2 parents 21b7908 + f1ebefe commit 4c31d75
Show file tree
Hide file tree
Showing 9 changed files with 131 additions and 73 deletions.
2 changes: 1 addition & 1 deletion composer.json
View file
Expand Up @@ -33,7 +33,7 @@
"nikic/php-parser": "1.4.1",
"patchwork/jsqueeze": "^2.0",
"patchwork/utf8": "1.3.1",
"pear/archive_tar": "1.4.3",
"pear/archive_tar": "1.4.5",
"pear/pear-core-minimal": "^v1.10",
"phpseclib/phpseclib": "2.0.11",
"php-opencloud/openstack": "3.0.5",
Expand Down
18 changes: 9 additions & 9 deletions composer.lock
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion composer/ClassLoader.php
View file
Expand Up @@ -279,7 +279,7 @@ public function isClassMapAuthoritative()
*/
public function setApcuPrefix($apcuPrefix)
{
$this->apcuPrefix = function_exists('apcu_fetch') && ini_get('apc.enabled') ? $apcuPrefix : null;
$this->apcuPrefix = function_exists('apcu_fetch') && filter_var(ini_get('apc.enabled'), FILTER_VALIDATE_BOOLEAN) ? $apcuPrefix : null;
}

/**
Expand Down
18 changes: 9 additions & 9 deletions composer/installed.json
View file
Expand Up @@ -1824,17 +1824,17 @@
},
{
"name": "pear/archive_tar",
"version": "1.4.3",
"version_normalized": "1.4.3.0",
"version": "1.4.5",
"version_normalized": "1.4.5.0",
"source": {
"type": "git",
"url": "https://github.com/pear/Archive_Tar.git",
"reference": "43455c960da70e655c6bdf8ea2bc8cc1a6034afb"
"reference": "ff716ca697c5e9e8593212cb785ffd03ee11b01f"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/pear/Archive_Tar/zipball/43455c960da70e655c6bdf8ea2bc8cc1a6034afb",
"reference": "43455c960da70e655c6bdf8ea2bc8cc1a6034afb",
"url": "https://api.github.com/repos/pear/Archive_Tar/zipball/ff716ca697c5e9e8593212cb785ffd03ee11b01f",
"reference": "ff716ca697c5e9e8593212cb785ffd03ee11b01f",
"shasum": ""
},
"require": {
Expand All @@ -1845,11 +1845,11 @@
"phpunit/phpunit": "*"
},
"suggest": {
"ext-bz2": "bz2 compression support.",
"ext-xz": "lzma2 compression support.",
"ext-bz2": "Bz2 compression support.",
"ext-xz": "Lzma2 compression support.",
"ext-zlib": "Gzip compression support."
},
"time": "2017-06-11T17:28:11+00:00",
"time": "2019-01-02T21:45:13+00:00",
"type": "library",
"extra": {
"branch-alias": {
Expand Down Expand Up @@ -1883,7 +1883,7 @@
"email": "mrook@php.net"
}
],
"description": "Tar file management class",
"description": "Tar file management class with compression support (gzip, bzip2, lzma2)",
"homepage": "https://github.com/pear/Archive_Tar",
"keywords": [
"archive",
Expand Down
4 changes: 4 additions & 0 deletions pear/archive_tar/.gitignore
View file
Expand Up @@ -4,3 +4,7 @@ composer.phar
vendor
# IDE
.idea
# eclipse
.buildpath
.project
.settings
109 changes: 65 additions & 44 deletions pear/archive_tar/Archive/Tar.php
View file
Expand Up @@ -1337,10 +1337,22 @@ public function _writeHeader($p_filename, $p_stored_filename)
if ($p_stored_filename == '') {
$p_stored_filename = $p_filename;
}
$v_reduce_filename = $this->_pathReduction($p_stored_filename);

if (strlen($v_reduce_filename) > 99) {
if (!$this->_writeLongHeader($v_reduce_filename)) {
$v_reduced_filename = $this->_pathReduction($p_stored_filename);

if (strlen($v_reduced_filename) > 99) {
if (!$this->_writeLongHeader($v_reduced_filename, false)) {
return false;
}
}

$v_linkname = '';
if (@is_link($p_filename)) {
$v_linkname = readlink($p_filename);
}

if (strlen($v_linkname) > 99) {
if (!$this->_writeLongHeader($v_linkname, true)) {
return false;
}
}
Expand All @@ -1349,14 +1361,10 @@ public function _writeHeader($p_filename, $p_stored_filename)
$v_uid = sprintf("%07s", DecOct($v_info[4]));
$v_gid = sprintf("%07s", DecOct($v_info[5]));
$v_perms = sprintf("%07s", DecOct($v_info['mode'] & 000777));

$v_mtime = sprintf("%011s", DecOct($v_info['mtime']));

$v_linkname = '';

if (@is_link($p_filename)) {
$v_typeflag = '2';
$v_linkname = readlink($p_filename);
$v_size = sprintf("%011s", DecOct(0));
} elseif (@is_dir($p_filename)) {
$v_typeflag = "5";
Expand All @@ -1368,7 +1376,6 @@ public function _writeHeader($p_filename, $p_stored_filename)
}

$v_magic = 'ustar ';

$v_version = ' ';

if (function_exists('posix_getpwuid')) {
Expand All @@ -1383,14 +1390,12 @@ public function _writeHeader($p_filename, $p_stored_filename)
}

$v_devmajor = '';

$v_devminor = '';

$v_prefix = '';

$v_binary_data_first = pack(
"a100a8a8a8a12a12",
$v_reduce_filename,
$v_reduced_filename,
$v_perms,
$v_uid,
$v_gid,
Expand Down Expand Up @@ -1430,7 +1435,7 @@ public function _writeHeader($p_filename, $p_stored_filename)
$this->_writeBlock($v_binary_data_first, 148);

// ----- Write the calculated checksum
$v_checksum = sprintf("%06s ", DecOct($v_checksum));
$v_checksum = sprintf("%06s\0 ", DecOct($v_checksum));
$v_binary_data = pack("a8", $v_checksum);
$this->_writeBlock($v_binary_data, 8);

Expand Down Expand Up @@ -1462,7 +1467,7 @@ public function _writeHeaderBlock(
$p_filename = $this->_pathReduction($p_filename);

if (strlen($p_filename) > 99) {
if (!$this->_writeLongHeader($p_filename)) {
if (!$this->_writeLongHeader($p_filename, false)) {
return false;
}
}
Expand Down Expand Up @@ -1558,36 +1563,31 @@ public function _writeHeaderBlock(
* @param string $p_filename
* @return bool
*/
public function _writeLongHeader($p_filename)
public function _writeLongHeader($p_filename, $is_link = false)
{
$v_size = sprintf("%11s ", DecOct(strlen($p_filename)));

$v_typeflag = 'L';

$v_uid = sprintf("%07s", 0);
$v_gid = sprintf("%07s", 0);
$v_perms = sprintf("%07s", 0);
$v_size = sprintf("%'011s", DecOct(strlen($p_filename)));
$v_mtime = sprintf("%011s", 0);
$v_typeflag = ($is_link ? 'K' : 'L');
$v_linkname = '';

$v_magic = '';

$v_version = '';

$v_magic = 'ustar ';
$v_version = ' ';
$v_uname = '';

$v_gname = '';

$v_devmajor = '';

$v_devminor = '';

$v_prefix = '';

$v_binary_data_first = pack(
"a100a8a8a8a12a12",
'././@LongLink',
0,
0,
0,
$v_perms,
$v_uid,
$v_gid,
$v_size,
0
$v_mtime
);
$v_binary_data_last = pack(
"a1a100a6a2a32a32a8a8a155a12",
Expand Down Expand Up @@ -1622,7 +1622,7 @@ public function _writeLongHeader($p_filename)
$this->_writeBlock($v_binary_data_first, 148);

// ----- Write the calculated checksum
$v_checksum = sprintf("%06s ", DecOct($v_checksum));
$v_checksum = sprintf("%06s\0 ", DecOct($v_checksum));
$v_binary_data = pack("a8", $v_checksum);
$this->_writeBlock($v_binary_data, 8);

Expand Down Expand Up @@ -1767,10 +1767,13 @@ private function _tarRecToSize($tar_size)
*/
private function _maliciousFilename($file)
{
if (strpos($file, '/../') !== false) {
if (strpos($file, 'phar://') === 0) {
return true;
}
if (strpos($file, '../') === 0) {
if (strpos($file, DIRECTORY_SEPARATOR . '..' . DIRECTORY_SEPARATOR) !== false) {
return true;
}
if (strpos($file, '..' . DIRECTORY_SEPARATOR) === 0) {
return true;
}
return false;
Expand Down Expand Up @@ -1835,11 +1838,20 @@ private function _extractInString($p_filename)
continue;
}

// ----- Look for long filename
if ($v_header['typeflag'] == 'L') {
if (!$this->_readLongHeader($v_header)) {
return null;
}
switch ($v_header['typeflag']) {
case 'L': {
if (!$this->_readLongHeader($v_header)) {
return null;
}
} break;

case 'K': {
$v_link_header = $v_header;
if (!$this->_readLongHeader($v_link_header)) {
return null;
}
$v_header['link'] = $v_link_header['filename'];
} break;
}

if ($v_header['filename'] == $p_filename) {
Expand Down Expand Up @@ -1940,11 +1952,20 @@ public function _extractList(
continue;
}

// ----- Look for long filename
if ($v_header['typeflag'] == 'L') {
if (!$this->_readLongHeader($v_header)) {
return false;
}
switch ($v_header['typeflag']) {
case 'L': {
if (!$this->_readLongHeader($v_header)) {
return null;
}
} break;

case 'K': {
$v_link_header = $v_header;
if (!$this->_readLongHeader($v_link_header)) {
return null;
}
$v_header['link'] = $v_link_header['filename'];
} break;
}

// ignore extended / pax headers
Expand Down
1 change: 1 addition & 0 deletions pear/archive_tar/README.md
View file
Expand Up @@ -7,6 +7,7 @@ This package provides handling of tar files in PHP.
It supports creating, listing, extracting and adding to tar files.
Gzip support is available if PHP has the zlib extension built-in or
loaded. Bz2 compression is also supported with the bz2 extension loaded.
Also Lzma2 compressed archives are supported with xz extension.

This package is hosted at http://pear.php.net/package/Archive_Tar

Expand Down
6 changes: 3 additions & 3 deletions pear/archive_tar/composer.json
View file
@@ -1,6 +1,6 @@
{
"name": "pear/archive_tar",
"description": "Tar file management class",
"description": "Tar file management class with compression support (gzip, bzip2, lzma2)",
"type": "library",
"keywords": [
"archive",
Expand Down Expand Up @@ -28,8 +28,8 @@
},
"suggest": {
"ext-zlib": "Gzip compression support.",
"ext-bz2": "bz2 compression support.",
"ext-xz": "lzma2 compression support."
"ext-bz2": "Bz2 compression support.",
"ext-xz": "Lzma2 compression support."
},
"autoload": {
"psr-0": {
Expand Down

0 comments on commit 4c31d75

Please sign in to comment.