diff options
| author | Stanislav Malyshev <stas@php.net> | 2015-09-01 12:06:41 -0700 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2015-09-01 12:06:41 -0700 |
| commit | c19d59c550053ffa797fce59aadf7bc79727390c (patch) | |
| tree | 71dfde3c820dc4027966fcdd5d04b32ee90090e8 /ext/zip | |
| parent | 45e7e79485f27ed22feb206cfe360718c424bf1a (diff) | |
| parent | 31b634bf7cb8e3de1dfa71418e348133c2365933 (diff) | |
| download | php-git-c19d59c550053ffa797fce59aadf7bc79727390c.tar.gz | |
Merge branch 'PHP-5.5' into PHP-5.6
* PHP-5.5:
update NEWS
add NEWS for fixes
Improve fix for #70172
Fix bug #70312 - HAVAL gives wrong hashes in specific cases
fix test
add test
Fix bug #70366 - use-after-free vulnerability in unserialize() with SplDoublyLinkedList
Fix bug #70365 - use-after-free vulnerability in unserialize() with SplObjectStorage
Fix bug #70172 - Use After Free Vulnerability in unserialize()
Fix bug #70388 - SOAP serialize_function_call() type confusion
Fixed bug #70350: ZipArchive::extractTo allows for directory traversal when creating directories
Improve fix for #70385
Fix bug #70345 (Multiple vulnerabilities related to PCRE functions)
Fix bug #70385 (Buffer over-read in exif_read_data with TIFF IFD tag byte value of 32 bytes)
Fix bug #70219 (Use after free vulnerability in session deserializer)
Fix for bug #69782
Add CVE IDs asigned (post release) to PHP 5.4.43
Add CVE IDs asigned to #69085 (PHP 5.4.39)
5.4.45 next
Conflicts:
ext/pcre/php_pcre.c
ext/standard/var_unserializer.c
ext/standard/var_unserializer.re
ext/zip/php_zip.c
Diffstat (limited to 'ext/zip')
| -rw-r--r-- | ext/zip/php_zip.c | 2 | ||||
| -rw-r--r-- | ext/zip/tests/bug70350.phpt | 33 |
2 files changed, 34 insertions, 1 deletions
diff --git a/ext/zip/php_zip.c b/ext/zip/php_zip.c index f9f12af127..d4f77eb4ed 100644 --- a/ext/zip/php_zip.c +++ b/ext/zip/php_zip.c @@ -200,7 +200,7 @@ static int php_zip_extract_file(struct zip * za, char *dest, char *file, int fil /* it is a directory only, see #40228 */ if (path_cleaned_len > 1 && IS_SLASH(path_cleaned[path_cleaned_len - 1])) { - len = spprintf(&file_dirname_fullpath, 0, "%s/%s", dest, file); + len = spprintf(&file_dirname_fullpath, 0, "%s/%s", dest, path_cleaned); is_dir_only = 1; } else { memcpy(file_dirname, path_cleaned, path_cleaned_len); diff --git a/ext/zip/tests/bug70350.phpt b/ext/zip/tests/bug70350.phpt new file mode 100644 index 0000000000..d81de65a32 --- /dev/null +++ b/ext/zip/tests/bug70350.phpt @@ -0,0 +1,33 @@ +--TEST-- +Bug #70350 (ZipArchive::extractTo allows for directory traversal when creating directories) +--SKIPIF-- +<?php +if(!extension_loaded('zip')) die('skip'); +?> +--FILE-- +<?php + +$dir = dirname(__FILE__)."/bug70350"; +mkdir($dir); +$archive = new ZipArchive(); +$archive->open("$dir/a.zip",ZipArchive::CREATE); +$archive->addEmptyDir("../down2/"); +$archive->close(); + +$archive2 = new ZipArchive(); +$archive2->open("$dir/a.zip"); +$archive2->extractTo($dir); +$archive2->close(); +var_dump(file_exists("$dir/down2/")); +var_dump(file_exists("../down2/")); +?> +--CLEAN-- +<?php +$dir = dirname(__FILE__)."/bug70350"; +rmdir("$dir/down2"); +unlink("$dir/a.zip"); +rmdir($dir); +?> +--EXPECT-- +bool(true) +bool(false) |