From bf675473197e52899987b50429ebc6b3403fcae3 Mon Sep 17 00:00:00 2001 From: Samuel Mortenson Date: Thu, 28 Nov 2019 11:59:22 -0800 Subject: [PATCH 1/2] Add flag to disallow symlinks. --- Archive/Tar.php | 28 +++++++++++++++++++++------- tests/symlink_disallow.phpt | 28 ++++++++++++++++++++++++++++ 2 files changed, 49 insertions(+), 7 deletions(-) create mode 100644 tests/symlink_disallow.phpt diff --git a/Archive/Tar.php b/Archive/Tar.php index 3ef278a..2f328c2 100644 --- a/Archive/Tar.php +++ b/Archive/Tar.php @@ -312,11 +312,12 @@ public function add($p_filelist) /** * @param string $p_path * @param bool $p_preserve + * @param bool $p_symlinks * @return bool */ - public function extract($p_path = '', $p_preserve = false) + public function extract($p_path = '', $p_preserve = false, $p_symlinks = true) { - return $this->extractModify($p_path, '', $p_preserve); + return $this->extractModify($p_path, '', $p_preserve, $p_symlinks); } /** @@ -557,11 +558,12 @@ public function addString($p_filename, $p_string, $p_datetime = false, $p_params * removed if present at the beginning of * the file/dir path. * @param boolean $p_preserve Preserve user/group ownership of files + * @param boolean $p_symlinks Allow symlinks. * * @return boolean true on success, false on error. * @see extractList() */ - public function extractModify($p_path, $p_remove_path, $p_preserve = false) + public function extractModify($p_path, $p_remove_path, $p_preserve = false, $p_symlinks = true) { $v_result = true; $v_list_detail = array(); @@ -573,7 +575,8 @@ public function extractModify($p_path, $p_remove_path, $p_preserve = false) "complete", 0, $p_remove_path, - $p_preserve + $p_preserve, + $p_symlinks ); $this->_close(); } @@ -617,11 +620,12 @@ public function extractInString($p_filename) * removed if present at the beginning of * the file/dir path. * @param boolean $p_preserve Preserve user/group ownership of files + * @param boolean $p_symlinks Allow symlinks. * * @return true on success, false on error. * @see extractModify() */ - public function extractList($p_filelist, $p_path = '', $p_remove_path = '', $p_preserve = false) + public function extractList($p_filelist, $p_path = '', $p_remove_path = '', $p_preserve = false, $p_symlinks = true) { $v_result = true; $v_list_detail = array(); @@ -642,7 +646,8 @@ public function extractList($p_filelist, $p_path = '', $p_remove_path = '', $p_p "partial", $v_list, $p_remove_path, - $p_preserve + $p_preserve, + $p_symlinks ); $this->_close(); } @@ -1917,6 +1922,7 @@ private function _extractInString($p_filename) * @param string $p_file_list * @param string $p_remove_path * @param bool $p_preserve + * @param bool $p_symlinks * @return bool */ public function _extractList( @@ -1925,7 +1931,8 @@ public function _extractList( $p_mode, $p_file_list, $p_remove_path, - $p_preserve = false + $p_preserve = false, + $p_symlinks = true ) { $v_result = true; @@ -2108,6 +2115,13 @@ public function _extractList( } } } elseif ($v_header['typeflag'] == "2") { + if (!$p_symlinks) { + $this->_warning('Symbolic links are not allowed. ' + . 'Unable to extract {' + . $v_header['filename'] . '}' + ); + return false; + } if (@file_exists($v_header['filename'])) { @unlink($v_header['filename']); } diff --git a/tests/symlink_disallow.phpt b/tests/symlink_disallow.phpt new file mode 100644 index 0000000..9cf08c0 --- /dev/null +++ b/tests/symlink_disallow.phpt @@ -0,0 +1,28 @@ +--TEST-- +test symbolic links +--SKIPIF-- +--FILE-- +extract('', false, false); +$phpunit->assertErrors([ + [ + 'package' => 'PEAR_Error', + 'message' => 'Symbolic links are not allowed. Unable to extract {testme/symlink.txt}' + ], +], 'Warning thrown'); +$phpunit->assertFileExists('testme', 'dir'); +$phpunit->assertFileNotExists('testme/file1.txt', 'file1.txt'); +$phpunit->assertFileNotExists('testme/symlink.txt', 'symlink.txt'); +echo 'tests done'; +?> +--CLEAN-- + +--EXPECT-- +tests done From f82494722e5f1eac4b9aef167b3d78fb283c03ac Mon Sep 17 00:00:00 2001 From: Samuel Mortenson Date: Thu, 28 Nov 2019 12:05:41 -0800 Subject: [PATCH 2/2] Use array() symtax in symlink_disallow.phpt --- tests/symlink_disallow.phpt | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/symlink_disallow.phpt b/tests/symlink_disallow.phpt index 9cf08c0..209ec1e 100644 --- a/tests/symlink_disallow.phpt +++ b/tests/symlink_disallow.phpt @@ -7,12 +7,12 @@ require_once dirname(__FILE__) . '/setup.php.inc'; $me = dirname(__FILE__) . '/testit'; $tar = new Archive_Tar(dirname(__FILE__) . '/testsymlink.tar'); $tar->extract('', false, false); -$phpunit->assertErrors([ - [ +$phpunit->assertErrors(array( + array( 'package' => 'PEAR_Error', 'message' => 'Symbolic links are not allowed. Unable to extract {testme/symlink.txt}' - ], -], 'Warning thrown'); + ), +), 'Warning thrown'); $phpunit->assertFileExists('testme', 'dir'); $phpunit->assertFileNotExists('testme/file1.txt', 'file1.txt'); $phpunit->assertFileNotExists('testme/symlink.txt', 'symlink.txt');