Fix #81420: ZipArchive::extractTo extracts outside of destination

cmb69 · smalyshev · commit df2ceac25a43 · 2021-09-20T21:29:24.000-07:00
We need to properly detect and handle absolute paths in a portable way.
diff --git a/ext/zip/php_zip.c b/ext/zip/php_zip.c
@@ -106,8 +106,8 @@ static char * php_zip_make_relative_path(char *path, size_t path_len) /* {{{ */
 		return NULL;
 	}
 
-	if (IS_SLASH(path[0])) {
-		return path + 1;
+	if (IS_ABSOLUTE_PATH(path, path_len)) {
+		return path + COPY_WHEN_ABSOLUTE(path) + 1;
 	}
 
 	i = path_len;
diff --git a/ext/zip/tests/bug81420.phpt b/ext/zip/tests/bug81420.phpt
@@ -0,0 +1,24 @@
+--TEST--
+Bug #81420 (ZipArchive::extractTo extracts outside of destination)
+--SKIPIF--
+<?php
+if (!extension_loaded("zip")) die("skip zip extension not available");
+?>
+--FILE--
+<?php
+$zip = new ZipArchive();
+$zip->open(__DIR__ . "/bug81420.zip");
+$destination = __DIR__ . "/bug81420";
+mkdir($destination);
+$zip->extractTo($destination);
+var_dump(file_exists("$destination/nt1/zzr_noharm.php"));
+?>
+--CLEAN--
+<?php
+$destination = __DIR__ . "/bug81420";
+@unlink("$destination/nt1/zzr_noharm.php");
+@rmdir("$destination/nt1");
+@rmdir($destination);
+?>
+--EXPECT--
+bool(true)
diff --git a/ext/zip/tests/bug81420.zip b/ext/zip/tests/bug81420.zip

Original file line number	Diff line number	Diff line change
`@@ -106,8 +106,8 @@ static char * php_zip_make_relative_path(char path, size_t path_len) / {{{ */`
`106`	`106`	`return NULL;`
`107`	`107`	`}`
`108`	`108`
`109`		`- if (IS_SLASH(path[0])) {`
`110`		`- return path + 1;`
	`109`	`+ if (IS_ABSOLUTE_PATH(path, path_len)) {`
	`110`	`+ return path + COPY_WHEN_ABSOLUTE(path) + 1;`
`111`	`111`	`}`
`112`	`112`
`113`	`113`	`i = path_len;`