From: Pierre Joye <pajoye@php.net>
Date: Wed, 14 Mar 2007 11:32:25 +0000 (+0000)
Subject: - MFH: Fixed possible relative path issues in zip_open in TS mode (old API)
X-Git-Tag: php-5.2.2RC1~156
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=b40b5b53051466cee7711c36a2066670372e00d6;p=php

- MFH: Fixed possible relative path issues in zip_open in TS mode (old API)
---

diff --git a/NEWS b/NEWS
index ec1c4145ec..beb2b18837 100644
--- a/NEWS
+++ b/NEWS
@@ -15,6 +15,7 @@ PHP                                                                        NEWS
 - Added --ri switch to CLI which allows to check extension information. (Marcus)
 - Added tidyNode::getParent() method (John, Nuno)
 - Added openbasedir and safemode checks in zip:// stream wrapper (Pierre)
+- Fixed possible relative path issues in zip_open and TS mode (old API) (Pierre)
 - Fixed zend_llist_remove_tail (Michael Wallner, Dmitry)
 - Fixed a thread safety issue in gd gif read code (Nuno, Roman Nemecek)
 - Fixed CVE-2007-1001, GD wbmp used with invalid image size (Pierre)
diff --git a/ext/zip/php_zip.c b/ext/zip/php_zip.c
index e618d8b9e7..88e5e88e12 100644
--- a/ext/zip/php_zip.c
+++ b/ext/zip/php_zip.c
@@ -616,16 +616,27 @@ static PHP_FUNCTION(zip_open)
 {
 	char     *filename;
 	int       filename_len;
+	char resolved_path[MAXPATHLEN + 1];
 	zip_rsrc *rsrc_int;
 	int err = 0;
 
 	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &filename, &filename_len) == FAILURE) {
 		return;
 	}
+
+	if (filename_len == 0) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Empty string as source");
+		RETURN_FALSE;
+	}
+
 	if (OPENBASEDIR_CHECKPATH(filename)) {
 		RETURN_FALSE;
 	}
 
+	if(!expand_filepath(filename, resolved_path TSRMLS_CC)) {
+		RETURN_FALSE;
+	}
+
 	rsrc_int = (zip_rsrc *)emalloc(sizeof(zip_rsrc));
 
 	rsrc_int->za = zip_open(filename, 0, &err);