Hide Forgot
Created attachment 1142637 [details] pharbug.php Php phar implementation has several routines to ignore files named "." and ".." in pathnames. These can be created in tar archives. One example is: $ touch file1 file2 file3 $ tar zcf dotslash.tar.gz ./file1 ./file2 ./file3 $ tar zcf nodotslash.tar.gz file1 file2 file3 and use the attached test script. I did an experimental patch, that needs some polishing, but is a starting point to handle ./ as start of a file: ---8<--- diff -up php-5.4.16/ext/phar/tar.c.orig php-5.4.16/ext/phar/tar.c --- php-5.4.16/ext/phar/tar.c.orig 2016-03-29 11:39:57.020599910 -0300 +++ php-5.4.16/ext/phar/tar.c 2016-03-29 11:42:25.582624697 -0300 @@ -481,6 +481,8 @@ bail: entry.link = estrdup(hdr->linkname); } phar_set_inode(&entry TSRMLS_CC); + if (entry.filename[0] == '.' && entry.filename[1] == '/') + memmove(entry.filename, entry.filename + 2, entry.filename_len -= 2); zend_hash_add(&myphar->manifest, entry.filename, entry.filename_len, (void*)&entry, sizeof(phar_entry_info), (void **) &newentry); if (entry.is_persistent) { ---8<--- but I would like to know if there are specific rules, maybe related CVEs, etc, regarding the tar implementation in php phar, or, if fixing it to handle "." and ".." in pathnames would be a welcome addition.
Created attachment 1142650 [details] php-5.4.16-sfdc01601204.patch This patch appears to work for leading "./", and correctly extract files using phar, from a tarball with leading "./", but not tested (yet) with very long names. What may have issues. The cut&paste patch in previous comment did not copy the trailing nul character nor check bounds. For completeness, it would be required a patch to remove "/./" in the middle of a path, or handle "/../" in the middle of the path as well, or trigger an error there are too many ".." compared to directories to "pop".
If you think this is a security issue, file a bug with the security (private) flag, it will be managed byt the PHP security team (security) https://bugs.php.net/report.php?package=phar (notice that 5.4 is EOL and won't receive any patch, 5.5 is security only, 5.6 and 7.0 are maintained)
Red Hat Enterprise Linux 7 shipped it's final minor release on September 29th, 2020. 7.9 was the last minor releases scheduled for RHEL 7. From intial triage it does not appear the remaining Bugzillas meet the inclusion criteria for Maintenance Phase 2 and will now be closed. From the RHEL life cycle page: https://access.redhat.com/support/policy/updates/errata#Maintenance_Support_2_Phase "During Maintenance Support 2 Phase for Red Hat Enterprise Linux version 7,Red Hat defined Critical and Important impact Security Advisories (RHSAs) and selected (at Red Hat discretion) Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available." If this BZ was closed in error and meets the above criteria please re-open it flag for 7.9.z, provide suitable business and technical justifications, and follow the process for Accelerated Fixes: https://source.redhat.com/groups/public/pnt-cxno/pnt_customer_experience_and_operations_wiki/support_delivery_accelerated_fix_release_handbook Feature Requests can re-opened and moved to RHEL 8 if the desired functionality is not already present in the product. Please reach out to the applicable Product Experience Engineer[0] if you have any questions or concerns. [0] https://bugzilla.redhat.com/page.cgi?id=agile_component_mapping.html&product=Red+Hat+Enterprise+Linux+7