Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#1812 closed Bug (fixed)

Prevent PclZip from unzipping outside of the target directory

Reported by: vipsoft Owned by:
Priority: normal Milestone: Piwik 1.1
Component: Core Keywords:
Cc: Sensitive: no

Description (last modified by matt)

This directory traversal weakness isn't a security vulnerability in Piwik 1.0 because we don't unzip third-party (inherently untrusted) .zip archives within the app. But if we supply an absolute path to both PCLZIP_OPT_PATH and PCLZIP_OPT_EXTRACT_DIR_RESTRICTION, extract() can create files outside of the target directory if the stored filename contains '../'.

Since we contemplate in-app installation of third-party plugins in the future, we should tighten up our code to serve as a reference implementation.

The PCLZIP_OPT_EXTRACT_DIR_RESTRICTION option -- to restrict to a specified extract basedir -- appears to be incompatible with with the absolute path specified via PCLZIP_OPT_PATH. I've given up on hacking pclzip.lib.php (i.e., fix one thing, introduce new side-effects). Instead, I'll use the PCLZIP_CB_PRE_EXTRACT hook (callback) to examine the target path, and either accept or skip/abort as needed.

Change History (3)

comment:1 Changed 3 years ago by vipsoft (robocoder)

  • Resolution set to fixed
  • Status changed from new to closed

(In [3311]) fixes #1812

comment:2 Changed 3 years ago by matt (mattab)

  • Description modified (diff)
  • Summary changed from PclZip directory traversal weakness to Prevent PclZip to unzip in other directories (preventive)

comment:3 Changed 3 years ago by vipsoft (robocoder)

  • Summary changed from Prevent PclZip to unzip in other directories (preventive) to Prevent PclZip from unzipping outside of the target directory
Note: See TracTickets for help on using tickets.