Prevent PclZip from unzipping outside of the target directory
|Reported by:||vipsoft||Owned by:|
Description (last modified by matt)
This directory traversal weakness isn't a security vulnerability in Piwik 1.0 because we don't unzip third-party (inherently untrusted) .zip archives within the app. But if we supply an absolute path to both PCLZIP_OPT_PATH and PCLZIP_OPT_EXTRACT_DIR_RESTRICTION, extract() can create files outside of the target directory if the stored filename contains '../'.
Since we contemplate in-app installation of third-party plugins in the future, we should tighten up our code to serve as a reference implementation.
The PCLZIP_OPT_EXTRACT_DIR_RESTRICTION option -- to restrict to a specified extract basedir -- appears to be incompatible with with the absolute path specified via PCLZIP_OPT_PATH. I've given up on hacking pclzip.lib.php (i.e., fix one thing, introduce new side-effects). Instead, I'll use the PCLZIP_CB_PRE_EXTRACT hook (callback) to examine the target path, and either accept or skip/abort as needed.
Change History (3)
comment:1 Changed 3 years ago by vipsoft (robocoder)
- Resolution set to fixed
- Status changed from new to closed
comment:2 Changed 3 years ago by matt (mattab)
- Description modified (diff)
- Summary changed from PclZip directory traversal weakness to Prevent PclZip to unzip in other directories (preventive)