Fixed bug #64931

phar_add_file is too restrive on filename

Check for any of '/', '\\', '\0' after ".phar".

diff --git a/NEWS b/NEWS
index 5994c4501c9d70b6cfa4ef868f0670ff2ed2e908..a0366d2c2b1ca1cd1b025ea320f96dcd4ba4fdee 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -42,6 +42,7 @@ PHP                                                                        NEWS
 - Phar:
   . Fixed bug #64343 (PharData::extractTo fails for tarball created by BSD tar).
     (Mike)
+  . Fixed bug #64931 (phar_add_file is too restrictive on filename). (Mike)
   . Fixed bug #65467 (Call to undefined method cli_arg_typ_string). (Mike)
   . Fixed bug #67761 (Phar::mapPhar fails for Phars inside a path containing 
     ".tar"). (Mike)

diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c
index 712795b1a4f863cea7b0a224e3adf3caa42ab881..0712b86f7b2e1aba537a081034c032fa7048b4e0 100644 (file)
--- a/ext/phar/phar_object.c
+++ b/ext/phar/phar_object.c
@@ -3622,7 +3622,7 @@ static void phar_add_file(phar_archive_data **pphar, char *filename, int filenam
        phar_entry_data *data;
        php_stream *contents_file;
 
-       if (filename_len >= sizeof(".phar")-1 && !memcmp(filename, ".phar", sizeof(".phar")-1)) {
+       if (filename_len >= sizeof(".phar")-1 && !memcmp(filename, ".phar", sizeof(".phar")-1) && (filename[5] == '/' || filename[5] == '\\' || filename[5] == '\0')) {
                zend_throw_exception_ex(spl_ce_BadMethodCallException, 0 TSRMLS_CC, "Cannot create any files in magic \".phar\" directory", (*pphar)->fname);
                return;
        }

diff --git a/ext/phar/tests/bug64931/bug64931.phpt b/ext/phar/tests/bug64931/bug64931.phpt
new file mode 100644 (file)
index 0000000..9c1f9dc
--- /dev/null
+++ b/ext/phar/tests/bug64931/bug64931.phpt
@@ -0,0 +1,58 @@
+--TEST--
+Bug #64931 (phar_add_file is too restrictive on filename)
+--SKIPIF--
+<?php extension_loaded("phar") or die("skip need ext/phar support"); ?>
+--INI--
+phar.readonly=0
+--FILE--
+<?php 
+
+echo "Test\n";
+
+@unlink(__DIR__."/bug64931.phar");
+$phar = new Phar(__DIR__."/bug64931.phar");
+$phar->addFile(__DIR__."/src/.pharignore", ".pharignore");
+try {
+       $phar->addFile(__DIR__."/src/.pharignore", ".phar/gotcha");
+} catch (Exception $e) {
+       echo "CAUGHT: ". $e->getMessage() ."\n";
+}
+
+try {
+       $phar->addFromString(".phar", "gotcha");
+} catch (Exception $e) {
+       echo "CAUGHT: ". $e->getMessage() ."\n";
+}
+
+try {
+       $phar->addFromString(".phar//", "gotcha");
+} catch (Exception $e) {
+       echo "CAUGHT: ". $e->getMessage() ."\n";
+}
+
+try {
+       $phar->addFromString(".phar\\", "gotcha");
+} catch (Exception $e) {
+       echo "CAUGHT: ". $e->getMessage() ."\n";
+}
+
+try {
+       $phar->addFromString(".phar\0", "gotcha");
+} catch (Exception $e) {
+       echo "CAUGHT: ". $e->getMessage() ."\n";
+}
+
+?>
+===DONE===
+--CLEAN--
+<?php
+@unlink(__DIR__."/bug64931.phar");
+?>
+--EXPECT--
+Test
+CAUGHT: Cannot create any files in magic ".phar" directory
+CAUGHT: Cannot create any files in magic ".phar" directory
+CAUGHT: Cannot create any files in magic ".phar" directory
+CAUGHT: Cannot create any files in magic ".phar" directory
+CAUGHT: Cannot create any files in magic ".phar" directory
+===DONE===
\ No newline at end of file

diff --git a/ext/phar/tests/bug64931/src/.pharignore b/ext/phar/tests/bug64931/src/.pharignore
new file mode 100644 (file)
index 0000000..b42d1c3
--- /dev/null
+++ b/ext/phar/tests/bug64931/src/.pharignore
@@ -0,0 +1,3 @@
+# ignore file
+*.tmp
+*~