From f1ebefeff2b0bc3e13b8018ce1cdee1beaeea017 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" Date: Tue, 15 Jan 2019 04:32:50 +0000 Subject: [PATCH] [Security] Bump pear/archive_tar from 1.4.3 to 1.4.5 Bumps [pear/archive_tar](https://github.com/pear/Archive_Tar) from 1.4.3 to 1.4.5. **This update includes security fixes.** - [Release notes](https://github.com/pear/Archive_Tar/releases) - [Commits](https://github.com/pear/Archive_Tar/compare/1.4.3...1.4.5) Signed-off-by: dependabot[bot] Signed-off-by: Roeland Jago Douma --- composer.json | 2 +- composer.lock | 18 ++--- composer/ClassLoader.php | 2 +- composer/installed.json | 18 ++--- pear/archive_tar/.gitignore | 4 ++ pear/archive_tar/Archive/Tar.php | 109 ++++++++++++++++++------------- pear/archive_tar/README.md | 1 + pear/archive_tar/composer.json | 6 +- pear/archive_tar/package.xml | 44 +++++++++++-- 9 files changed, 131 insertions(+), 73 deletions(-) diff --git a/composer.json b/composer.json index 3e080f7d8..30fd2f3f7 100644 --- a/composer.json +++ b/composer.json @@ -33,7 +33,7 @@ "nikic/php-parser": "1.4.1", "patchwork/jsqueeze": "^2.0", "patchwork/utf8": "1.3.1", - "pear/archive_tar": "1.4.3", + "pear/archive_tar": "1.4.5", "pear/pear-core-minimal": "^v1.10", "phpseclib/phpseclib": "2.0.11", "php-opencloud/openstack": "3.0.5", diff --git a/composer.lock b/composer.lock index a8dfc587a..efda3dd2f 100644 --- a/composer.lock +++ b/composer.lock @@ -4,7 +4,7 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "This file is @generated automatically" ], - "content-hash": "86347379256dbee99c4c900777b268ef", + "content-hash": "b526d05dca797bb55382859f43ab5e36", "packages": [ { "name": "aws/aws-sdk-php", @@ -1769,16 +1769,16 @@ }, { "name": "pear/archive_tar", - "version": "1.4.3", + "version": "1.4.5", "source": { "type": "git", "url": "https://github.com/pear/Archive_Tar.git", - "reference": "43455c960da70e655c6bdf8ea2bc8cc1a6034afb" + "reference": "ff716ca697c5e9e8593212cb785ffd03ee11b01f" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/pear/Archive_Tar/zipball/43455c960da70e655c6bdf8ea2bc8cc1a6034afb", - "reference": "43455c960da70e655c6bdf8ea2bc8cc1a6034afb", + "url": "https://api.github.com/repos/pear/Archive_Tar/zipball/ff716ca697c5e9e8593212cb785ffd03ee11b01f", + "reference": "ff716ca697c5e9e8593212cb785ffd03ee11b01f", "shasum": "" }, "require": { @@ -1789,8 +1789,8 @@ "phpunit/phpunit": "*" }, "suggest": { - "ext-bz2": "bz2 compression support.", - "ext-xz": "lzma2 compression support.", + "ext-bz2": "Bz2 compression support.", + "ext-xz": "Lzma2 compression support.", "ext-zlib": "Gzip compression support." }, "type": "library", @@ -1825,13 +1825,13 @@ "email": "mrook@php.net" } ], - "description": "Tar file management class", + "description": "Tar file management class with compression support (gzip, bzip2, lzma2)", "homepage": "https://github.com/pear/Archive_Tar", "keywords": [ "archive", "tar" ], - "time": "2017-06-11T17:28:11+00:00" + "time": "2019-01-02T21:45:13+00:00" }, { "name": "pear/console_getopt", diff --git a/composer/ClassLoader.php b/composer/ClassLoader.php index 95f7e0978..fce8549f0 100644 --- a/composer/ClassLoader.php +++ b/composer/ClassLoader.php @@ -279,7 +279,7 @@ public function isClassMapAuthoritative() */ public function setApcuPrefix($apcuPrefix) { - $this->apcuPrefix = function_exists('apcu_fetch') && ini_get('apc.enabled') ? $apcuPrefix : null; + $this->apcuPrefix = function_exists('apcu_fetch') && filter_var(ini_get('apc.enabled'), FILTER_VALIDATE_BOOLEAN) ? $apcuPrefix : null; } /** diff --git a/composer/installed.json b/composer/installed.json index 1bc060a6a..04a0f6177 100644 --- a/composer/installed.json +++ b/composer/installed.json @@ -1824,17 +1824,17 @@ }, { "name": "pear/archive_tar", - "version": "1.4.3", - "version_normalized": "1.4.3.0", + "version": "1.4.5", + "version_normalized": "1.4.5.0", "source": { "type": "git", "url": "https://github.com/pear/Archive_Tar.git", - "reference": "43455c960da70e655c6bdf8ea2bc8cc1a6034afb" + "reference": "ff716ca697c5e9e8593212cb785ffd03ee11b01f" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/pear/Archive_Tar/zipball/43455c960da70e655c6bdf8ea2bc8cc1a6034afb", - "reference": "43455c960da70e655c6bdf8ea2bc8cc1a6034afb", + "url": "https://api.github.com/repos/pear/Archive_Tar/zipball/ff716ca697c5e9e8593212cb785ffd03ee11b01f", + "reference": "ff716ca697c5e9e8593212cb785ffd03ee11b01f", "shasum": "" }, "require": { @@ -1845,11 +1845,11 @@ "phpunit/phpunit": "*" }, "suggest": { - "ext-bz2": "bz2 compression support.", - "ext-xz": "lzma2 compression support.", + "ext-bz2": "Bz2 compression support.", + "ext-xz": "Lzma2 compression support.", "ext-zlib": "Gzip compression support." }, - "time": "2017-06-11T17:28:11+00:00", + "time": "2019-01-02T21:45:13+00:00", "type": "library", "extra": { "branch-alias": { @@ -1883,7 +1883,7 @@ "email": "mrook@php.net" } ], - "description": "Tar file management class", + "description": "Tar file management class with compression support (gzip, bzip2, lzma2)", "homepage": "https://github.com/pear/Archive_Tar", "keywords": [ "archive", diff --git a/pear/archive_tar/.gitignore b/pear/archive_tar/.gitignore index 12262da27..c32ccd7cc 100644 --- a/pear/archive_tar/.gitignore +++ b/pear/archive_tar/.gitignore @@ -4,3 +4,7 @@ composer.phar vendor # IDE .idea +# eclipse +.buildpath +.project +.settings diff --git a/pear/archive_tar/Archive/Tar.php b/pear/archive_tar/Archive/Tar.php index 0bd1c6caa..68bdffe51 100644 --- a/pear/archive_tar/Archive/Tar.php +++ b/pear/archive_tar/Archive/Tar.php @@ -1337,10 +1337,22 @@ public function _writeHeader($p_filename, $p_stored_filename) if ($p_stored_filename == '') { $p_stored_filename = $p_filename; } - $v_reduce_filename = $this->_pathReduction($p_stored_filename); - if (strlen($v_reduce_filename) > 99) { - if (!$this->_writeLongHeader($v_reduce_filename)) { + $v_reduced_filename = $this->_pathReduction($p_stored_filename); + + if (strlen($v_reduced_filename) > 99) { + if (!$this->_writeLongHeader($v_reduced_filename, false)) { + return false; + } + } + + $v_linkname = ''; + if (@is_link($p_filename)) { + $v_linkname = readlink($p_filename); + } + + if (strlen($v_linkname) > 99) { + if (!$this->_writeLongHeader($v_linkname, true)) { return false; } } @@ -1349,14 +1361,10 @@ public function _writeHeader($p_filename, $p_stored_filename) $v_uid = sprintf("%07s", DecOct($v_info[4])); $v_gid = sprintf("%07s", DecOct($v_info[5])); $v_perms = sprintf("%07s", DecOct($v_info['mode'] & 000777)); - $v_mtime = sprintf("%011s", DecOct($v_info['mtime'])); - $v_linkname = ''; - if (@is_link($p_filename)) { $v_typeflag = '2'; - $v_linkname = readlink($p_filename); $v_size = sprintf("%011s", DecOct(0)); } elseif (@is_dir($p_filename)) { $v_typeflag = "5"; @@ -1368,7 +1376,6 @@ public function _writeHeader($p_filename, $p_stored_filename) } $v_magic = 'ustar '; - $v_version = ' '; if (function_exists('posix_getpwuid')) { @@ -1383,14 +1390,12 @@ public function _writeHeader($p_filename, $p_stored_filename) } $v_devmajor = ''; - $v_devminor = ''; - $v_prefix = ''; $v_binary_data_first = pack( "a100a8a8a8a12a12", - $v_reduce_filename, + $v_reduced_filename, $v_perms, $v_uid, $v_gid, @@ -1430,7 +1435,7 @@ public function _writeHeader($p_filename, $p_stored_filename) $this->_writeBlock($v_binary_data_first, 148); // ----- Write the calculated checksum - $v_checksum = sprintf("%06s ", DecOct($v_checksum)); + $v_checksum = sprintf("%06s\0 ", DecOct($v_checksum)); $v_binary_data = pack("a8", $v_checksum); $this->_writeBlock($v_binary_data, 8); @@ -1462,7 +1467,7 @@ public function _writeHeaderBlock( $p_filename = $this->_pathReduction($p_filename); if (strlen($p_filename) > 99) { - if (!$this->_writeLongHeader($p_filename)) { + if (!$this->_writeLongHeader($p_filename, false)) { return false; } } @@ -1558,36 +1563,31 @@ public function _writeHeaderBlock( * @param string $p_filename * @return bool */ - public function _writeLongHeader($p_filename) + public function _writeLongHeader($p_filename, $is_link = false) { - $v_size = sprintf("%11s ", DecOct(strlen($p_filename))); - - $v_typeflag = 'L'; - + $v_uid = sprintf("%07s", 0); + $v_gid = sprintf("%07s", 0); + $v_perms = sprintf("%07s", 0); + $v_size = sprintf("%'011s", DecOct(strlen($p_filename))); + $v_mtime = sprintf("%011s", 0); + $v_typeflag = ($is_link ? 'K' : 'L'); $v_linkname = ''; - - $v_magic = ''; - - $v_version = ''; - + $v_magic = 'ustar '; + $v_version = ' '; $v_uname = ''; - $v_gname = ''; - $v_devmajor = ''; - $v_devminor = ''; - $v_prefix = ''; $v_binary_data_first = pack( "a100a8a8a8a12a12", '././@LongLink', - 0, - 0, - 0, + $v_perms, + $v_uid, + $v_gid, $v_size, - 0 + $v_mtime ); $v_binary_data_last = pack( "a1a100a6a2a32a32a8a8a155a12", @@ -1622,7 +1622,7 @@ public function _writeLongHeader($p_filename) $this->_writeBlock($v_binary_data_first, 148); // ----- Write the calculated checksum - $v_checksum = sprintf("%06s ", DecOct($v_checksum)); + $v_checksum = sprintf("%06s\0 ", DecOct($v_checksum)); $v_binary_data = pack("a8", $v_checksum); $this->_writeBlock($v_binary_data, 8); @@ -1767,10 +1767,13 @@ private function _tarRecToSize($tar_size) */ private function _maliciousFilename($file) { - if (strpos($file, '/../') !== false) { + if (strpos($file, 'phar://') === 0) { return true; } - if (strpos($file, '../') === 0) { + if (strpos($file, DIRECTORY_SEPARATOR . '..' . DIRECTORY_SEPARATOR) !== false) { + return true; + } + if (strpos($file, '..' . DIRECTORY_SEPARATOR) === 0) { return true; } return false; @@ -1835,11 +1838,20 @@ private function _extractInString($p_filename) continue; } - // ----- Look for long filename - if ($v_header['typeflag'] == 'L') { - if (!$this->_readLongHeader($v_header)) { - return null; - } + switch ($v_header['typeflag']) { + case 'L': { + if (!$this->_readLongHeader($v_header)) { + return null; + } + } break; + + case 'K': { + $v_link_header = $v_header; + if (!$this->_readLongHeader($v_link_header)) { + return null; + } + $v_header['link'] = $v_link_header['filename']; + } break; } if ($v_header['filename'] == $p_filename) { @@ -1940,11 +1952,20 @@ public function _extractList( continue; } - // ----- Look for long filename - if ($v_header['typeflag'] == 'L') { - if (!$this->_readLongHeader($v_header)) { - return false; - } + switch ($v_header['typeflag']) { + case 'L': { + if (!$this->_readLongHeader($v_header)) { + return null; + } + } break; + + case 'K': { + $v_link_header = $v_header; + if (!$this->_readLongHeader($v_link_header)) { + return null; + } + $v_header['link'] = $v_link_header['filename']; + } break; } // ignore extended / pax headers diff --git a/pear/archive_tar/README.md b/pear/archive_tar/README.md index fcf246cdc..96e95713a 100644 --- a/pear/archive_tar/README.md +++ b/pear/archive_tar/README.md @@ -7,6 +7,7 @@ This package provides handling of tar files in PHP. It supports creating, listing, extracting and adding to tar files. Gzip support is available if PHP has the zlib extension built-in or loaded. Bz2 compression is also supported with the bz2 extension loaded. +Also Lzma2 compressed archives are supported with xz extension. This package is hosted at http://pear.php.net/package/Archive_Tar diff --git a/pear/archive_tar/composer.json b/pear/archive_tar/composer.json index c50b0a9a9..e464d9d7b 100644 --- a/pear/archive_tar/composer.json +++ b/pear/archive_tar/composer.json @@ -1,6 +1,6 @@ { "name": "pear/archive_tar", - "description": "Tar file management class", + "description": "Tar file management class with compression support (gzip, bzip2, lzma2)", "type": "library", "keywords": [ "archive", @@ -28,8 +28,8 @@ }, "suggest": { "ext-zlib": "Gzip compression support.", - "ext-bz2": "bz2 compression support.", - "ext-xz": "lzma2 compression support." + "ext-bz2": "Bz2 compression support.", + "ext-xz": "Lzma2 compression support." }, "autoload": { "psr-0": { diff --git a/pear/archive_tar/package.xml b/pear/archive_tar/package.xml index 993618099..e9de05bf7 100644 --- a/pear/archive_tar/package.xml +++ b/pear/archive_tar/package.xml @@ -6,7 +6,8 @@ This class provides handling of tar files in PHP. It supports creating, listing, extracting and adding to tar files. Gzip support is available if PHP has the zlib extension built-in or -loaded. Bz2 compression is also supported with the bz2 extension loaded. +loaded. Bz2 compression is also supported with the bz2 extension loaded. +Also Lzma2 compressed archives are supported with xz extension. Vincent Blavet vblavet @@ -31,10 +32,10 @@ loaded. Bz2 compression is also supported with the bz2 extension loaded.stig@php.net no - 2017-06-11 - + 2019-01-02 + - 1.4.3 + 1.4.5 1.4.0 @@ -43,8 +44,7 @@ loaded. Bz2 compression is also supported with the bz2 extension loaded. New BSD License -* Fix Bug #21218: Cannot use result of built-in function in write context in PHP - 7.2.0alpha1 [mrook] +* Fix Bug #23788: Relative symlinks are broken [mrook] @@ -74,6 +74,38 @@ loaded. Bz2 compression is also supported with the bz2 extension loaded. + + + 1.4.4 + 1.4.0 + + + stable + stable + + 2018-12-20 + New BSD License + +* Fix Bug #21058: Long symlinks are not supported [mrook] + * Fix Bug #23782: Prevent phar:// files from being extracted [mrook] + + + + + 1.4.3 + 1.4.0 + + + stable + stable + + 2017-06-11 + New BSD License + +* Fix Bug #21218: Cannot use result of built-in function in write context in PHP + 7.2.0alpha1 [mrook] + + 1.4.2