From: Michael Wallner <mike@php.net>
Date: Mon, 30 Mar 2015 14:19:17 +0000 (+0200)
Subject: Fixed bug #64931
X-Git-Tag: php-5.5.24RC1~5
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=6480725007bdc5bab4f24ac481a4cb082074851d;p=php

Fixed bug #64931

phar_add_file is too restrive on filename

Check for any of '/', '\\', '\0' after ".phar".
---

diff --git a/NEWS b/NEWS
index 5994c4501c..a0366d2c2b 100644
--- a/NEWS
+++ b/NEWS
@@ -42,6 +42,7 @@ PHP                                                                        NEWS
 - Phar:
   . Fixed bug #64343 (PharData::extractTo fails for tarball created by BSD tar).
     (Mike)
+  . Fixed bug #64931 (phar_add_file is too restrictive on filename). (Mike)
   . Fixed bug #65467 (Call to undefined method cli_arg_typ_string). (Mike)
   . Fixed bug #67761 (Phar::mapPhar fails for Phars inside a path containing 
     ".tar"). (Mike)
diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c
index 712795b1a4..0712b86f7b 100644
--- a/ext/phar/phar_object.c
+++ b/ext/phar/phar_object.c
@@ -3622,7 +3622,7 @@ static void phar_add_file(phar_archive_data **pphar, char *filename, int filenam
 	phar_entry_data *data;
 	php_stream *contents_file;
 
-	if (filename_len >= sizeof(".phar")-1 && !memcmp(filename, ".phar", sizeof(".phar")-1)) {
+	if (filename_len >= sizeof(".phar")-1 && !memcmp(filename, ".phar", sizeof(".phar")-1) && (filename[5] == '/' || filename[5] == '\\' || filename[5] == '\0')) {
 		zend_throw_exception_ex(spl_ce_BadMethodCallException, 0 TSRMLS_CC, "Cannot create any files in magic \".phar\" directory", (*pphar)->fname);
 		return;
 	}
diff --git a/ext/phar/tests/bug64931/bug64931.phpt b/ext/phar/tests/bug64931/bug64931.phpt
new file mode 100644
index 0000000000..9c1f9dcaf1
--- /dev/null
+++ b/ext/phar/tests/bug64931/bug64931.phpt
@@ -0,0 +1,58 @@
+--TEST--
+Bug #64931 (phar_add_file is too restrictive on filename)
+--SKIPIF--
+<?php extension_loaded("phar") or die("skip need ext/phar support"); ?>
+--INI--
+phar.readonly=0
+--FILE--
+<?php 
+
+echo "Test\n";
+
+@unlink(__DIR__."/bug64931.phar");
+$phar = new Phar(__DIR__."/bug64931.phar");
+$phar->addFile(__DIR__."/src/.pharignore", ".pharignore");
+try {
+	$phar->addFile(__DIR__."/src/.pharignore", ".phar/gotcha");
+} catch (Exception $e) {
+	echo "CAUGHT: ". $e->getMessage() ."\n";
+}
+
+try {
+	$phar->addFromString(".phar", "gotcha");
+} catch (Exception $e) {
+	echo "CAUGHT: ". $e->getMessage() ."\n";
+}
+
+try {
+	$phar->addFromString(".phar//", "gotcha");
+} catch (Exception $e) {
+	echo "CAUGHT: ". $e->getMessage() ."\n";
+}
+
+try {
+	$phar->addFromString(".phar\\", "gotcha");
+} catch (Exception $e) {
+	echo "CAUGHT: ". $e->getMessage() ."\n";
+}
+
+try {
+	$phar->addFromString(".phar\0", "gotcha");
+} catch (Exception $e) {
+	echo "CAUGHT: ". $e->getMessage() ."\n";
+}
+
+?>
+===DONE===
+--CLEAN--
+<?php
+@unlink(__DIR__."/bug64931.phar");
+?>
+--EXPECT--
+Test
+CAUGHT: Cannot create any files in magic ".phar" directory
+CAUGHT: Cannot create any files in magic ".phar" directory
+CAUGHT: Cannot create any files in magic ".phar" directory
+CAUGHT: Cannot create any files in magic ".phar" directory
+CAUGHT: Cannot create any files in magic ".phar" directory
+===DONE===
\ No newline at end of file
diff --git a/ext/phar/tests/bug64931/src/.pharignore b/ext/phar/tests/bug64931/src/.pharignore
new file mode 100644
index 0000000000..b42d1c31c1
--- /dev/null
+++ b/ext/phar/tests/bug64931/src/.pharignore
@@ -0,0 +1,3 @@
+# ignore file
+*.tmp
+*~