search

matomo-org / component-decompress

Decompress files
GNU Lesser General Public License v3.0
12 stars 12 forks source link

Sync pclzip with chamilo/pclzip ? #23

Open williamdes opened 1 month ago

williamdes commented 1 month ago

Should we copy the upstream changes from https://github.com/chamilo/pclzip ?

The diff to apply is minimal It seems that it contains a security fix and a PHP 7.1 compat bug fix around the ini_ functions

diff --git a/libs/PclZip/pclzip.lib.php b/libs/PclZip/pclzip.lib.php
index 1189e9f..dbe5c28 100644
--- a/libs/PclZip/pclzip.lib.php
+++ b/libs/PclZip/pclzip.lib.php
@@ -1,6 +1,6 @@
 <?php
 // --------------------------------------------------------------------------------
-// PhpConcept Library - Zip Module 2.8.2
+// PhpConcept Library - Zip Module 2.8.4
 // --------------------------------------------------------------------------------
 // License GNU/LGPL - Vincent Blavet - August 2009
 // http://www.phpconcept.net
@@ -1717,7 +1717,7 @@ class PclZip
                    $v_function_name = $p_options_list[$i + 1];

                    // ----- Check that the value is a valid existing function
-                   if ((is_string($v_function_name) && !function_exists($v_function_name)) && !is_callable($v_function_name)) {
+                   if (!function_exists($v_function_name)) {
                        // ----- Error log
                        PclZip::privErrorLog(PCLZIP_ERR_INVALID_OPTION_VALUE, "Function '" . $v_function_name . "()' is not an existing function for option '" . PclZipUtilOptionText($p_options_list[$i]) . "'");

@@ -1784,9 +1784,10 @@ class PclZip
        }

        // ----- Get 'memory_limit' configuration value
-       $v_memory_limit = trim(ini_get('memory_limit'));
+       $v_memory_limit = ini_get('memory_limit');
+       $v_memory_limit = trim($v_memory_limit);
        $last           = strtolower(substr($v_memory_limit, -1));
-       $v_memory_limit = intval($v_memory_limit);
+       $v_memory_limit = preg_replace('/\s*[KkMmGg]$/', '', $v_memory_limit);

        if ($last == 'g') {
            //$v_memory_limit = $v_memory_limit*1024*1024*1024;
@@ -3512,6 +3513,12 @@ class PclZip
            }
        }

+       // Patch for Zip Traversal vulnerability
+       if (strpos($p_entry['stored_filename'], '../') !== false || strpos($p_entry['stored_filename'], '..\\') !== false) {
+           $p_entry['stored_filename'] = basename($p_entry['stored_filename']);
+           $p_entry['filename'] = basename($p_entry['stored_filename']);
+       }
sgiehl commented 1 month ago

Sounds good to me to apply such fixes