PECL in the download utility class in the Installer in PEAR Base System
v1.10.1 does not validate file types and filenames after a redirect,
which allows remote HTTP servers to overwrite files via crafted
responses, as demonstrated by a .htaccess overwrite.
Created php-pear tracking bugs for this issue:
Affects: fedora-all [bug 1418773]
This vulnerability only allows files in the current directory to be overwritten, so using `pear download` in a temporary directory effectively mitigates the risk of a dangerous file overwrite occurring.
Since pear's purpose is to download libraries for inclusion in an application, any use of `pear install` or `pear download` implicitly trusts the server. This vulnerability does not significantly extend the trust already given to pear and to servers used with it.