Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:42797
Return-Path: <sean@seanius.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 71456 invoked from network); 23 Jan 2009 08:06:33 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 23 Jan 2009 08:06:33 -0000
Authentication-Results: pb1.pair.com header.from=seanius@debian.org; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=sean@seanius.net; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain seanius.net from 66.93.22.232 cause and error)
X-PHP-List-Original-Sender: sean@seanius.net
X-Host-Fingerprint: 66.93.22.232 cobija.connexer.com  
Received: from [66.93.22.232] ([66.93.22.232:58621] helo=cobija.connexer.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 7F/13-45130-88A79794 for <internals@lists.php.net>; Fri, 23 Jan 2009 03:06:33 -0500
Received: from rangda.stickybit.se (h-234-204.A189.priv.bahnhof.se [81.170.234.204])
	by cobija.connexer.com (Postfix) with ESMTP id A7EB617C1BD;
	Fri, 23 Jan 2009 03:06:29 -0500 (EST)
Received: by rangda.stickybit.se (Postfix, from userid 1000)
	id 455C410501; Fri, 23 Jan 2009 09:06:28 +0100 (CET)
Date: Fri, 23 Jan 2009 09:06:28 +0100
To: Pierre Joye <pierre.php@gmail.com>
Cc: Stefan Esser <sesser@hardened-php.net>,
	Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>,
	PHP internals <internals@lists.php.net>
Message-ID: <20090123080628.GA21317@rangda.stickybit.se>
References: <20090121215750.GC15208@rangda.stickybit.se> <fe05d1540901211425t2b72592ep755f09ffeb34dc49@mail.gmail.com> <fe05d1540901211554t7ea7b3d7x74b5aff96b1b587b@mail.gmail.com> <20090123072359.GB28562@rangda.stickybit.se>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="H+4ONPRPur6+Ovig"
Content-Disposition: inline
In-Reply-To: <20090123072359.GB28562@rangda.stickybit.se>
User-Agent: Mutt/1.5.18 (2008-05-17)
Subject: Re: [php-maint] [PHP-DEV] CVE-2008-5658 unfixed or new problem
	with Zip::extractTo in 5.2.x?
From: seanius@debian.org (sean finney)

--H+4ONPRPur6+Ovig
Content-Type: multipart/mixed; boundary="ReaqsoxgOBHFXBhH"
Content-Disposition: inline


--ReaqsoxgOBHFXBhH
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

hi again,

On Fri, Jan 23, 2009 at 08:23:59AM +0100, sean finney wrote:
> it's unfortunate that there isn't a more surgical fix (301 insertions!),
> but i'll take your word for it that it would be too complicated/dangerous
> to try and modify virtual_file_ex() directly.

actually, i think i've found a slightly more graceful workaround :)

since virtual_file_ex is to fragile to be changed, here's a patch that
does the following as a workaround:

- take a temporary copy of the filename
- replace all instances of "^../", "/../", and "/..$" with "///".
- pass this mangled filename to virtual_file_ex for normalization

it seems virtual_file_ex can handle such a filename without problem, and=20
with proper formatting the current patch only inserts 22 lines to php_zip.c.
someone should probably double check this code for early-morning coding
errors though :)

what do you think?


	sean

--ReaqsoxgOBHFXBhH
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="CVE-2008-5658.diff.txt"
Content-Transfer-Encoding: quoted-printable

--- ext/zip/php_zip.c.orig	2009-01-23 08:29:32.000000000 +0100
+++ ext/zip/php_zip.c	2009-01-23 08:56:42.000000000 +0100
@@ -142,6 +142,9 @@
 	char *path_cleaned;
 	size_t path_cleaned_len;
 	cwd_state new_state;
+  char *tmp_file =3D NULL;
+  char *tmp_needle =3D NULL;
+  int virtual_ret =3D 0;
=20
 	new_state.cwd =3D (char*)malloc(1);
 	new_state.cwd[0] =3D '\0';
@@ -150,7 +153,25 @@
 	/* Clean/normlize the path and then transform any path (absolute or relat=
ive)
 		 to a path relative to cwd (../../mydir/foo.txt > mydir/foo.txt)
 	 */
-	virtual_file_ex(&new_state, file, NULL, CWD_EXPAND);
+  tmp_file =3D strdup(file);=20
+  while (tmp_needle=3Dstrstr(tmp_file, "/../"))
+  {
+    *(tmp_needle+1)=3D*(tmp_needle+2)=3D'/';
+  }
+  if (strncmp(tmp_file, "..", 2) =3D=3D 0 && (file_len =3D=3D 2 || tmp_fil=
e[2] =3D=3D '/'))
+  {
+    tmp_file[0]=3Dtmp_file[1]=3D'/';
+  }
+  if (file_len > 3 && strncmp(&tmp_file[file_len-2], "..", 2) =3D=3D 0)=20
+  {
+    tmp_file[file_len-1]=3Dtmp_file[file_len-2]=3D'/';
+  }
+	virtual_ret =3D virtual_file_ex(&new_state, tmp_file, NULL, CWD_EXPAND);
+  free(tmp_file);
+  if (virtual_ret =3D=3D 1)=20
+  {
+    return 0;
+  }
 	path_cleaned =3D  php_zip_make_relative_path(new_state.cwd, new_state.cwd=
_length);
 	path_cleaned_len =3D strlen(path_cleaned);
=20

--ReaqsoxgOBHFXBhH--

--H+4ONPRPur6+Ovig
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJeXqEynjLPm522B0RAnL/AJ9GD7C8nm8K8NSPtUlLlS6Qt8zG1ACfZ2rR
WGaD67PumpXbNTOsSMu8mQQ=
=oCVy
-----END PGP SIGNATURE-----

--H+4ONPRPur6+Ovig--