Prevent PclZip from unzipping outside of the target directory #1812

robocoder opened this Issue Nov 12, 2010 · 1 comment

1 participant


This directory traversal weakness isn't a security vulnerability in Piwik 1.0 because we don't unzip third-party (inherently untrusted) .zip archives within the app. But if we supply an absolute path to both PCLZIP_OPT_PATH and PCLZIP_OPT_EXTRACT_DIR_RESTRICTION, extract() can create files outside of the target directory if the stored filename contains '../'.

Since we contemplate in-app installation of third-party plugins in the future, we should tighten up our code to serve as a reference implementation.

The PCLZIP_OPT_EXTRACT_DIR_RESTRICTION option -- to restrict to a specified extract basedir -- appears to be incompatible with with the absolute path specified via PCLZIP_OPT_PATH. I've given up on hacking pclzip.lib.php (i.e., fix one thing, introduce new side-effects). Instead, I'll use the PCLZIP_CB_PRE_EXTRACT hook (callback) to examine the target path, and either accept or skip/abort as needed.


(In [3311]) fixes #1812

@robocoder robocoder added this to the Piwik 1.1 milestone Jul 8, 2014
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment