- MFH: Fixed possible relative path issues in zip_open in TS mode (old API)

diff --git a/NEWS b/NEWS
index ec1c4145ec8cb5bd7c033582222c504e312e6f4a..beb2b18837e929589ec7a84b54a2275cf8c24148 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -15,6 +15,7 @@ PHP                                                                        NEWS
 - Added --ri switch to CLI which allows to check extension information. (Marcus)
 - Added tidyNode::getParent() method (John, Nuno)
 - Added openbasedir and safemode checks in zip:// stream wrapper (Pierre)
+- Fixed possible relative path issues in zip_open and TS mode (old API) (Pierre)
 - Fixed zend_llist_remove_tail (Michael Wallner, Dmitry)
 - Fixed a thread safety issue in gd gif read code (Nuno, Roman Nemecek)
 - Fixed CVE-2007-1001, GD wbmp used with invalid image size (Pierre)

diff --git a/ext/zip/php_zip.c b/ext/zip/php_zip.c
index e618d8b9e7128014c95d9a0d456b5a3e3bebb058..88e5e88e125170b6194c5d8af4d6a16ccc972e7c 100644 (file)
--- a/ext/zip/php_zip.c
+++ b/ext/zip/php_zip.c
@@ -616,16 +616,27 @@ static PHP_FUNCTION(zip_open)
 {
        char     *filename;
        int       filename_len;
+       char resolved_path[MAXPATHLEN + 1];
        zip_rsrc *rsrc_int;
        int err = 0;
 
        if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &filename, &filename_len) == FAILURE) {
                return;
        }
+
+       if (filename_len == 0) {
+               php_error_docref(NULL TSRMLS_CC, E_WARNING, "Empty string as source");
+               RETURN_FALSE;
+       }
+
        if (OPENBASEDIR_CHECKPATH(filename)) {
                RETURN_FALSE;
        }
 
+       if(!expand_filepath(filename, resolved_path TSRMLS_CC)) {
+               RETURN_FALSE;
+       }
+
        rsrc_int = (zip_rsrc *)emalloc(sizeof(zip_rsrc));
 
        rsrc_int->za = zip_open(filename, 0, &err);