Skip to content

ext/phar: improve .phar madic directory preservation logic in phar::addEmptyDir() #22146

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
LamentXU123 wants to merge 1 commit into
base: PHP-8.4
Choose a base branch
from
+24 −3
Open

ext/phar: improve .phar madic directory preservation logic in phar::addEmptyDir() #22146

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions NEWS
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,11 @@ PHP NEWS
IntlCalendar::equals(), ::before(), ::after(), and ::isEquivalentTo().
(Weilin Du)

- Phar:
. Fixed a bypass of the magic ".phar" directory protection in
Phar::addEmptyDir() for paths starting with "/.phar", while allowing
non-magic directory names that merely share the ".phar" prefix. (Weilin Du)

- Zlib:
. Fixed memory leak if deflate initialization fails and there is a dict.
(ndossche)
Expand Down
13 changes: 10 additions & 3 deletions ext/phar/phar_object.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3863,9 +3863,16 @@ PHP_METHOD(Phar, addEmptyDir)

PHAR_ARCHIVE_OBJECT();

if (zend_string_starts_with_literal(dir_name, ".phar")) {
zend_throw_exception_ex(spl_ce_BadMethodCallException, 0, "Cannot create a directory in magic \".phar\" directory");
RETURN_THROWS();
if (
zend_string_starts_with_literal(dir_name, ".phar")
|| zend_string_starts_with_literal(dir_name, "/.phar")
) {
size_t prefix_len = (ZSTR_VAL(dir_name)[0] == '/') + sizeof(".phar")-1;
char next_char = ZSTR_VAL(dir_name)[prefix_len];
if (next_char == '/' || next_char == '\\' || next_char == '\0') {
zend_throw_exception_ex(spl_ce_BadMethodCallException, 0, "Cannot create a directory in magic \".phar\" directory");
RETURN_THROWS();
}
}

phar_mkdir(&phar_obj->archive, dir_name);
Expand Down
9 changes: 9 additions & 0 deletions ext/phar/tests/mkdir.phpt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,13 @@ $a->addEmptyDir('.phar');
} catch (Exception $e) {
echo $e->getMessage(),"\n";
}
try {
$a->addEmptyDir('/.phar');
} catch (Exception $e) {
echo $e->getMessage(),"\n";
}
$a->addEmptyDir('/.pharx');
var_dump(is_dir($pname . '/.pharx'));
?>
--CLEAN--
<?php
Expand All @@ -43,3 +50,5 @@ Warning: rmdir(): phar error: cannot remove directory "" in phar "foo.phar", dir

Warning: rmdir(): phar error: cannot remove directory "a" in phar "%smkdir.phar.php", phar error: path "a" exists and is a not a directory in %smkdir.php on line %d
Cannot create a directory in magic ".phar" directory
Cannot create a directory in magic ".phar" directory
bool(true)
Loading