From 55ddcbca0f8c95e28a8a828ec4635cbc792d9807 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Tue, 1 Sep 2015 12:06:41 -0700 Subject: Merge branch 'PHP-5.5' into PHP-5.6 * PHP-5.5: update NEWS add NEWS for fixes Improve fix for #70172 Fix bug #70312 - HAVAL gives wrong hashes in specific cases fix test add test Fix bug #70366 - use-after-free vulnerability in unserialize() with SplDoublyLinkedList Fix bug #70365 - use-after-free vulnerability in unserialize() with SplObjectStorage Fix bug #70172 - Use After Free Vulnerability in unserialize() Fix bug #70388 - SOAP serialize_function_call() type confusion Fixed bug #70350: ZipArchive::extractTo allows for directory traversal when creating directories Improve fix for #70385 Fix bug #70345 (Multiple vulnerabilities related to PCRE functions) Fix bug #70385 (Buffer over-read in exif_read_data with TIFF IFD tag byte value of 32 bytes) Fix bug #70219 (Use after free vulnerability in session deserializer) Fix for bug #69782 Add CVE IDs asigned (post release) to PHP 5.4.43 Add CVE IDs asigned to #69085 (PHP 5.4.39) 5.4.45 next Conflicts: ext/pcre/php_pcre.c ext/standard/var_unserializer.c ext/standard/var_unserializer.re ext/zip/php_zip.c --- ext/zip/php_zip.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'ext/zip/php_zip.c') diff --git a/ext/zip/php_zip.c b/ext/zip/php_zip.c index f9f12af127..d4f77eb4ed 100644 --- a/ext/zip/php_zip.c +++ b/ext/zip/php_zip.c @@ -200,7 +200,7 @@ static int php_zip_extract_file(struct zip * za, char *dest, char *file, int fil /* it is a directory only, see #40228 */ if (path_cleaned_len > 1 && IS_SLASH(path_cleaned[path_cleaned_len - 1])) { - len = spprintf(&file_dirname_fullpath, 0, "%s/%s", dest, file); + len = spprintf(&file_dirname_fullpath, 0, "%s/%s", dest, path_cleaned); is_dir_only = 1; } else { memcpy(file_dirname, path_cleaned, path_cleaned_len); -- cgit v1.2.1