From ad6e7fc66776a642495eb2241dedd226dc8f3961 Mon Sep 17 00:00:00 2001
From: Greg Beaver <cellog@php.net>
Date: Sat, 26 Apr 2008 22:04:04 +0000
Subject: [PATCH] add screening of alias to reading of zip archives, and test
 for bad aliases

---
 ext/phar/tests/zip/badalias.phpt            |  25 ++++++++++++++++++++
 ext/phar/tests/zip/files/badalias1.phar.zip | Bin 0 -> 353 bytes
 ext/phar/tests/zip/files/badalias2.phar.zip | Bin 0 -> 353 bytes
 ext/phar/tests/zip/files/badalias3.phar.zip | Bin 0 -> 353 bytes
 ext/phar/tests/zip/files/badalias4.phar.zip | Bin 0 -> 353 bytes
 ext/phar/tests/zip/files/badalias5.phar.zip | Bin 0 -> 353 bytes
 ext/phar/zip.c                              |  12 ++++++++++
 7 files changed, 37 insertions(+)
 create mode 100644 ext/phar/tests/zip/badalias.phpt
 create mode 100644 ext/phar/tests/zip/files/badalias1.phar.zip
 create mode 100644 ext/phar/tests/zip/files/badalias2.phar.zip
 create mode 100644 ext/phar/tests/zip/files/badalias3.phar.zip
 create mode 100644 ext/phar/tests/zip/files/badalias4.phar.zip
 create mode 100644 ext/phar/tests/zip/files/badalias5.phar.zip

diff --git a/ext/phar/tests/zip/badalias.phpt b/ext/phar/tests/zip/badalias.phpt
new file mode 100644
index 0000000000..4e08cefd5e
--- /dev/null
+++ b/ext/phar/tests/zip/badalias.phpt
@@ -0,0 +1,25 @@
+--TEST--
+Phar: invalid aliases
+--SKIPIF--
+<?php if (!extension_loaded("phar")) die("skip"); ?>
+<?php if (!extension_loaded("zlib")) die("skip no zlib"); ?>
+<?php if (!extension_loaded("bz2")) die("skip no bz2"); ?>
+--FILE--
+<?php
+$e = dirname(__FILE__) . '/files/';
+for ($i = 1; $i <= 5; $i++) {
+try {
+new Phar($e . "badalias$i.phar.zip");
+} catch (Exception $ee) {
+echo $ee->getMessage(), "\n";
+}
+}
+?>
+===DONE===
+--EXPECTF--
+phar error: invalid alias in zip-based phar "%sbadalias1.phar.zip"
+phar error: invalid alias in zip-based phar "%sbadalias2.phar.zip"
+phar error: invalid alias in zip-based phar "%sbadalias3.phar.zip"
+phar error: invalid alias in zip-based phar "%sbadalias4.phar.zip"
+phar error: invalid alias in zip-based phar "%sbadalias5.phar.zip"
+===DONE===
diff --git a/ext/phar/tests/zip/files/badalias1.phar.zip b/ext/phar/tests/zip/files/badalias1.phar.zip
new file mode 100644
index 0000000000000000000000000000000000000000..0e3adfc7cf51925a50eac3b2b4b6f653b3f0c846
GIT binary patch
literal 353
zcmWIWW@Zs#U|`^2u;`d&F~jSMB`c7}48%-8oRN9@#2FTb02D=*N4^SifweF&@B?YR
zf{er>{luKi#A3aYijvbOuIQii(Dh<P)3)+JzpE5bxdagN!L=2alqLZUDA>GF|Aa<B
zNB{SNFPxp_-@fyH_)^Gw>B1H^pec+%r{H!Y&?qF3k%_Jz-MI+Gsz4^1<Iy#vI~t)m
Y2Cf<Ag#d3>Hjq3s5UvE$i$EL(0I`)xX#fBK

literal 0
HcmV?d00001

diff --git a/ext/phar/tests/zip/files/badalias2.phar.zip b/ext/phar/tests/zip/files/badalias2.phar.zip
new file mode 100644
index 0000000000000000000000000000000000000000..7b5baaa08945c7e00787f139a96c248a9f7be983
GIT binary patch
literal 353
zcmWIWW@Zs#U|`^2u;`d&F~jSMB`c7}48%-8oRN9@#2FTb02D=GyPfBAfweF&@B?YR
zf{er>{luKi#A3aYijvbOdNfaZ=z6iDX<K=q-&G2zTmp#s;M$5yN|S&F6l~t8e?lXm
zqyKxs7tYS|Z{K-8d@1C;bYTk{&=f|XQ*gTxXcQ92$V69<?p%aoRUi}1@#vb-9gWZ&
Y1J?}mLV!0b8%UlR2v-8>MIa6X07A4#`2YX_

literal 0
HcmV?d00001

diff --git a/ext/phar/tests/zip/files/badalias3.phar.zip b/ext/phar/tests/zip/files/badalias3.phar.zip
new file mode 100644
index 0000000000000000000000000000000000000000..7b5baaa08945c7e00787f139a96c248a9f7be983
GIT binary patch
literal 353
zcmWIWW@Zs#U|`^2u;`d&F~jSMB`c7}48%-8oRN9@#2FTb02D=GyPfBAfweF&@B?YR
zf{er>{luKi#A3aYijvbOdNfaZ=z6iDX<K=q-&G2zTmp#s;M$5yN|S&F6l~t8e?lXm
zqyKxs7tYS|Z{K-8d@1C;bYTk{&=f|XQ*gTxXcQ92$V69<?p%aoRUi}1@#vb-9gWZ&
Y1J?}mLV!0b8%UlR2v-8>MIa6X07A4#`2YX_

literal 0
HcmV?d00001

diff --git a/ext/phar/tests/zip/files/badalias4.phar.zip b/ext/phar/tests/zip/files/badalias4.phar.zip
new file mode 100644
index 0000000000000000000000000000000000000000..49b7be0daec1274b35e98d0c3c45628f9115ef10
GIT binary patch
literal 353
zcmWIWW@Zs#U|`^2u;`d&F~jSMB`c7}48%-8oRN9@#2FTb02D=AS~hiYfweF&@B?YR
zf{er>{luKi#A3aYijvbOw&<Po(Dh<P)3)+JzpE5bxdagN!L=2alqLZUDA>GF|Aa<B
zNB{SNFPxp_-@fyH_)^Gw>B1H^pec+%r{H!Y&?qF3k%_Jz-MI+Gsz4^1<Iy#vI~t)m
Y2Cf<Ag#d3>Hjq3s5UvE$i$EL(07+y@C;$Ke

literal 0
HcmV?d00001

diff --git a/ext/phar/tests/zip/files/badalias5.phar.zip b/ext/phar/tests/zip/files/badalias5.phar.zip
new file mode 100644
index 0000000000000000000000000000000000000000..9f2b0e8282683fdc40840608862b61f8774213b5
GIT binary patch
literal 353
zcmWIWW@Zs#U|`^2u;`d&F~jSMB`c7}48%-8oRN9@#2FTb02D=n;qM%|z*-m>_<^)u
zK}KSceqv5$VzFLHMak(CTeMDk=z6iDX<K=q-&G2zTmp#s;M$5yN|S&F6l~t8e?lXm
zqyKxs7tYS|Z{K-8d@1C;bYTk{&=f|XQ*gTxXcQ92$V69<?p%aoRUi}1@#vb-9gWZ&
Y1J?}mLV!0b8%UlR2v-8>MIa6X0Mp$_Y5)KL

literal 0
HcmV?d00001

diff --git a/ext/phar/zip.c b/ext/phar/zip.c
index 886cb20c5d..bf613a31f5 100644
--- a/ext/phar/zip.c
+++ b/ext/phar/zip.c
@@ -317,12 +317,14 @@ foundit:
 			case PHAR_ZIP_COMP_DEFLATE :
 				entry.flags |= PHAR_ENT_COMPRESSED_GZ;
 				if (!phar_has_zlib) {
+					efree(entry.filename);
 					PHAR_ZIP_FAIL("zlib extension is required");
 				}
 				break;
 			case PHAR_ZIP_COMP_BZIP2 :
 				entry.flags |= PHAR_ENT_COMPRESSED_BZ2;
 				if (!phar_has_bz2) {
+					efree(entry.filename);
 					PHAR_ZIP_FAIL("bzip2 extension is required");
 				}
 				break;
@@ -369,6 +371,7 @@ foundit:
 		/* get file metadata */
 		if (zipentry.comment_len) {
 			if (PHAR_GET_16(zipentry.comment_len) != php_stream_read(fp, buf, PHAR_GET_16(zipentry.comment_len))) {
+				efree(entry.filename);
 				PHAR_ZIP_FAIL("unable to read in file comment, truncated");
 			}
 			p = buf;
@@ -391,10 +394,12 @@ foundit:
 			if (entry.flags & PHAR_ENT_COMPRESSED_GZ) {
 				filter = php_stream_filter_create("zlib.inflate", NULL, php_stream_is_persistent(fp) TSRMLS_CC);
 				if (!filter) {
+					efree(entry.filename);
 					PHAR_ZIP_FAIL("unable to decompress alias, zlib filter creation failed");
 				}
 				php_stream_filter_append(&fp->readfilters, filter);
 				if (!(entry.uncompressed_filesize = php_stream_copy_to_mem(fp, &(mydata->alias), entry.uncompressed_filesize, 0)) || !mydata->alias) {
+					efree(entry.filename);
 					PHAR_ZIP_FAIL("unable to read in alias, truncated");
 				}
 				php_stream_filter_flush(filter, 1);
@@ -403,23 +408,30 @@ foundit:
 				php_stream_filter *filter;
 				filter = php_stream_filter_create("bzip2.decompress", NULL, php_stream_is_persistent(fp) TSRMLS_CC);
 				if (!filter) {
+					efree(entry.filename);
 					PHAR_ZIP_FAIL("unable to read in alias, bzip2 filter creation failed");
 				}
 				php_stream_filter_append(&fp->readfilters, filter);
 				php_stream_filter_append(&fp->readfilters, filter);
 				if (!(entry.uncompressed_filesize = php_stream_copy_to_mem(fp, &(mydata->alias), entry.uncompressed_filesize, 0)) || !mydata->alias) {
+					efree(entry.filename);
 					PHAR_ZIP_FAIL("unable to read in alias, truncated");
 				}
 				php_stream_filter_flush(filter, 1);
 				php_stream_filter_remove(filter, 1 TSRMLS_CC);
 			} else {
 				if (!(entry.uncompressed_filesize = php_stream_copy_to_mem(fp, &(mydata->alias), entry.uncompressed_filesize, 0)) || !mydata->alias) {
+					efree(entry.filename);
 					PHAR_ZIP_FAIL("unable to read in alias, truncated");
 				}
 			}
 
 			mydata->is_temporary_alias = 0;
 			mydata->alias_len = PHAR_GET_32(zipentry.uncompsize);
+			if (!phar_validate_alias(mydata->alias, mydata->alias_len)) {
+				efree(entry.filename);
+				PHAR_ZIP_FAIL("invalid alias");
+			}
 			zend_hash_add(&(PHAR_GLOBALS->phar_alias_map), mydata->alias, mydata->alias_len, (void*)&mydata, sizeof(phar_archive_data*), NULL);
 			/* return to central directory parsing */
 			php_stream_seek(fp, saveloc, SEEK_SET);
-- 
2.50.1