Jonnycake
commented
9 years ago http://www.cvedetails.com/cve/CVE-2008-5658/ PHP <= 2.6: ZipArchive::extractTo() Directory Traversal
Keep this in mind with PHP 5.1.0, user should be alerted that they're suggested to upgrade, but should also provide a way to protect oneself if they decide not to. While this function is currently only used in adminCP, assuming a wrapper class is provided it could be used in other places so it could end up being available to non-admin users.
I'm making an issue for regression testing to look into other possible vulnerabilities due to old PHP versions. This could eventually turn into a module of its own to include bad configurations, etc.
PHP version compatability has to be investigated, the goal is to keep everything compatable with PHP 5.1.0. From a cursory glance at the libraries SimpleSite uses it seems like it should be okay, the only problem I see with my plans is with the compression format - I use zip in the admin control panel as that's what's most common in windows environments. From what I can tell there's no off-the-shelf support for zip in 5.1.0, it requires manual configuration.
Possible solution is switching to using the bzip2 archive format, but ideally some parts should be able to support multiple formats. The only way I can see of achieving that is writing a wrapper to combine all of them, but that assumes that there's functions available, although that could be easily checked. Unfortunately in this case, I don't think there's any way around requiring manual configuration. Either way, I'll be setting up a test environment with php 5.1.0 to see what doesn't work.
The next piece of this issue is supporting both Windows and Linux. The only foreseen problem is file path delimeter, but another problem could arise if not considered beforehand: PCNTL library is not available for Windows so should not be used.
I'll update with more information when I get to it.