access, or a string representing a file within the archive to access. If
unknown, the callback should return the original request uri [Greg]
* rework filename detection so that alias is always checked first
- * make aliases containing '/' or '\' invalid
+ X make aliases containing '/' or '\' invalid [Greg]
X implement manual mounting of external phar archives to locations inside a
phar path, $phar->mount('/path/to/external.phar', 'internal/path');
this would traverse external.phar's manifest, and add each entry as a
}
}
#endif
+/**
+ * validate an alias, returns 1 for success, 0 for failure
+ */
+static inline int phar_validate_alias(const char *alias, int alias_len) /* {{{ */
+{
+ return !(memchr(alias, '/', alias_len) || memchr(alias, '\\', alias_len) || memchr(alias, ':', alias_len) ||
+ memchr(alias, ';', alias_len));
+}
+/* }}} */
+
void phar_request_initialize(TSRMLS_D);
if (PHAR_G(readonly)) {
zend_throw_exception_ex(spl_ce_UnexpectedValueException, 0 TSRMLS_CC,
"Cannot write out phar archive, phar is read-only");
- return;
+ RETURN_FALSE;
}
if (phar_obj->arc.archive->is_data) {
zend_throw_exception_ex(spl_ce_UnexpectedValueException, 0 TSRMLS_CC,
"A Phar alias cannot be set in a plain %s archive", phar_obj->arc.archive->is_tar ? "tar" : "zip");
- return;
+ RETURN_FALSE;
}
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &alias, &alias_len) == SUCCESS) {
efree(error);
RETURN_FALSE;
}
+ if (!phar_validate_alias(alias, alias_len)) {
+ zend_throw_exception_ex(spl_ce_UnexpectedValueException, 0 TSRMLS_CC,
+ "Invalid alias \"%s\" specified for phar \"%s\"", alias, phar_obj->arc.archive->fname);
+ RETURN_FALSE;
+ }
if (phar_obj->arc.archive->alias_len && SUCCESS == zend_hash_find(&(PHAR_GLOBALS->phar_alias_map), phar_obj->arc.archive->alias, phar_obj->arc.archive->alias_len, (void**)&fd_ptr)) {
zend_hash_del(&(PHAR_GLOBALS->phar_alias_map), phar_obj->arc.archive->alias, phar_obj->arc.archive->alias_len);
readd = 1;
zend_hash_add(&(PHAR_GLOBALS->phar_alias_map), oldalias, oldalias_len, (void*)&(phar_obj->arc.archive), sizeof(phar_archive_data*), NULL);
}
efree(error);
- return;
+ RETURN_FALSE;
}
zend_hash_add(&(PHAR_GLOBALS->phar_alias_map), alias, alias_len, (void*)&(phar_obj->arc.archive), sizeof(phar_archive_data*), NULL);
if (oldalias) {
--- /dev/null
+--TEST--
+Phar: set alias with invalid alias containing / \ : or ;
+--SKIPIF--
+<?php if (!extension_loaded("phar")) die("skip"); ?>
+--INI--
+phar.readonly=0
+--FILE--
+<?php
+$fname = dirname(__FILE__) . '/' . basename(__FILE__, '.php') . '.phar';
+
+$p = new Phar($fname);
+try {
+ $p->setAlias('hi/');
+} catch (Exception $e) {
+ echo $e->getMessage() . "\n";
+}
+try {
+ $p->setAlias('hi\\l');
+} catch (Exception $e) {
+ echo $e->getMessage() . "\n";
+}
+
+try {
+ $p->setAlias('hil;');
+} catch (Exception $e) {
+ echo $e->getMessage() . "\n";
+}
+
+try {
+ $p->setAlias(':hil');
+} catch (Exception $e) {
+ echo $e->getMessage() . "\n";
+}
+?>
+===DONE===
+--CLEAN--
+<?php
+unlink(dirname(__FILE__) . '/' . basename(__FILE__, '.clean.php') . '.phar');
+?>
+--EXPECTF--
+Invalid alias "hi/" specified for phar "%sinvalid_alias.phar"
+Invalid alias "hi\l" specified for phar "%sinvalid_alias.phar"
+Invalid alias "hil;" specified for phar "%sinvalid_alias.phar"
+Invalid alias ":hil" specified for phar "%sinvalid_alias.phar"
+===DONE===
\ No newline at end of file
--- /dev/null
+--TEST--
+Phar: invalid set alias or stub via array access
+--SKIPIF--
+<?php if (!extension_loaded("phar")) die("skip"); ?>
+--INI--
+phar.readonly=0
+--FILE--
+<?php
+$fname = dirname(__FILE__) . '/' . basename(__FILE__, '.php') . '.phar.tar';
+$fname2 = dirname(__FILE__) . '/' . basename(__FILE__, '.php') . '.phar.zip';
+
+$p = new Phar($fname);
+try {
+ $p['.phar/stub.php'] = 'hi';
+} catch (Exception $e) {
+ echo $e->getMessage() . "\n";
+}
+try {
+ $p['.phar/alias.txt'] = 'hi';
+} catch (Exception $e) {
+ echo $e->getMessage() . "\n";
+}
+$p = new Phar($fname2);
+try {
+ $p['.phar/stub.php'] = 'hi';
+} catch (Exception $e) {
+ echo $e->getMessage() . "\n";
+}
+try {
+ $p['.phar/alias.txt'] = 'hi';
+} catch (Exception $e) {
+ echo $e->getMessage() . "\n";
+}
+
+?>
+===DONE===
+--CLEAN--
+<?php
+unlink(dirname(__FILE__) . '/' . basename(__FILE__, '.clean.php') . '.phar.tar');
+unlink(dirname(__FILE__) . '/' . basename(__FILE__, '.clean.php') . '.phar.zip');
+?>
+--EXPECTF--
+Cannot set stub ".phar/stub.php" directly in phar "%sinvalid_setstubalias.phar.tar", use setStub
+Cannot set alias ".phar/alias.txt" directly in phar "%sinvalid_setstubalias.phar.tar", use setAlias
+Cannot set stub ".phar/stub.php" directly in phar "%sinvalid_setstubalias.phar.zip", use setStub
+Cannot set alias ".phar/alias.txt" directly in phar "%sinvalid_setstubalias.phar.zip", use setAlias
+===DONE===
\ No newline at end of file
projects / php / commitdiff