Skip to content

Instantly share code, notes, and snippets.

@smalyshev smalyshev/70350.diff Secret
Created Aug 30, 2015

Embed
What would you like to do?
commit f9c2bf73adb2ede0a486b0db466c264f2b27e0bb
Author: Stanislav Malyshev <stas@php.net>
Date: Sun Aug 30 00:38:08 2015 -0700
Fixed bug #70350: ZipArchive::extractTo allows for directory traversal when creating directories
diff --git a/ext/zip/php_zip.c b/ext/zip/php_zip.c
index abc21c7..6c872eb 100644
--- a/ext/zip/php_zip.c
+++ b/ext/zip/php_zip.c
@@ -174,7 +174,7 @@ static int php_zip_extract_file(struct zip * za, char *dest, char *file, int fil
/* it is a directory only, see #40228 */
if (path_cleaned_len > 1 && IS_SLASH(path_cleaned[path_cleaned_len - 1])) {
- len = spprintf(&file_dirname_fullpath, 0, "%s/%s", dest, file);
+ len = spprintf(&file_dirname_fullpath, 0, "%s/%s", dest, path_cleaned);
is_dir_only = 1;
} else {
memcpy(file_dirname, path_cleaned, path_cleaned_len);
diff --git a/ext/zip/tests/bug70350.phpt b/ext/zip/tests/bug70350.phpt
new file mode 100644
index 0000000..c308f54
--- /dev/null
+++ b/ext/zip/tests/bug70350.phpt
@@ -0,0 +1,33 @@
+--TEST--
+Bug #70350 (ZipArchive::extractTo allows for directory traversal when creating directories)
+--SKIPIF--
+<?php
+if(!extension_loaded('zip')) die('skip');
+?>
+--FILE--
+<?php
+
+$dir = dirname(__FILE__)."/bug70350";
+mkdir($dir);
+$archive = new ZipArchive();
+$archive->open("$dir/a.zip",ZipArchive::CREATE);
+$archive->addEmptyDir("../down2/");
+$archive->close();
+
+$archive2 = new ZipArchive();
+$archive2->open('a.zip');
+$archive2->extractTo($dir);
+$archive2->close();
+var_dump(file_exists("$dir/down2/"));
+var_dump(file_exists("../down2/"));
+?>
+--CLEAN--
+<?php
+$dir = dirname(__FILE__)."/bug70350";
+rmdir("$dir/down2");
+unlink("$dir/a.zip");
+rmdir($dir);
+?>
+--EXPECT--
+bool(true)
+bool(false)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.