PHP :: Sec Bug #66321 :: PHP ZipArchive::open() ze_obj->filename_len not real
| Sec Bug #66321 | PHP ZipArchive::open() ze_obj->filename_len not real | ||||
|---|---|---|---|---|---|
| Submitted: | 2013-12-19 07:00 UTC | Modified: | 2016-05-14 15:15 UTC | ||
| From: | cyg0x7 at gmail dot com | Assigned: | remi (profile) | ||
| Status: | Closed | Package: | Zip Related | ||
| PHP Version: | 5.4.23 | OS: | Linux | ||
| Private report: | No | CVE-ID: | None | ||
[2013-12-19 07:00 UTC] cyg0x7 at gmail dot com
Description:
------------
the PHP function ZipArchive::open() use 'filename_len' from parmeter as ze_obj->filename's length( ze_obj->filename_len ),called the function expand_filepath the resolved_path's length may less than filename's length。Although there was not where to use ze_obj->filename_len at present, i think it was a security risk, maybe someday.
=============================================
if (!expand_filepath(filename, resolved_path TSRMLS_CC)) {
RETURN_FALSE;
}
if (ze_obj->za) {
/* we already have an opened zip, free it */
if (zip_close(ze_obj->za) != 0) {
_zip_free(ze_obj->za);
}
ze_obj->za = NULL;
}
if (ze_obj->filename) {
efree(ze_obj->filename);
ze_obj->filename = NULL;
}
intern = zip_open(resolved_path, flags, &err);
if (!intern || err) {
RETURN_LONG((long)err);
}
ze_obj->filename = estrdup(resolved_path); // here is use resolved_path as filename
ze_obj->filename_len = filename_len; // but here is use len from args
ze_obj->za = intern;
RETURN_TRUE;
Test script:
---------------
<?php
$zip = new ZipArchive;
$fn = "/../../../../root/test.zip";
#var_dump( $fn );
$res = $zip->open($fn);
if ($res === TRUE) {
echo 'ok';
$zip->extractTo('test');
$zip->close();
} else {
echo 'failed, code:' . $res;
}
?>
Patches
Pull Requests
History
AllCommentsChangesGit/SVN commits
[2013-12-19 10:00 UTC] remi@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: remi