Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prevent PclZip from unzipping outside of the target directory #1812

Closed
robocoder opened this issue Nov 12, 2010 · 1 comment
Closed

Prevent PclZip from unzipping outside of the target directory #1812

robocoder opened this issue Nov 12, 2010 · 1 comment
Labels
Bug For errors / faults / flaws / inconsistencies etc.
Milestone

Comments

@robocoder
Copy link
Contributor

This directory traversal weakness isn't a security vulnerability in Piwik 1.0 because we don't unzip third-party (inherently untrusted) .zip archives within the app. But if we supply an absolute path to both PCLZIP_OPT_PATH and PCLZIP_OPT_EXTRACT_DIR_RESTRICTION, extract() can create files outside of the target directory if the stored filename contains '../'.

Since we contemplate in-app installation of third-party plugins in the future, we should tighten up our code to serve as a reference implementation.

The PCLZIP_OPT_EXTRACT_DIR_RESTRICTION option -- to restrict to a specified extract basedir -- appears to be incompatible with with the absolute path specified via PCLZIP_OPT_PATH. I've given up on hacking pclzip.lib.php (i.e., fix one thing, introduce new side-effects). Instead, I'll use the PCLZIP_CB_PRE_EXTRACT hook (callback) to examine the target path, and either accept or skip/abort as needed.

@robocoder
Copy link
Contributor Author

(In [3311]) fixes #1812

@robocoder robocoder added this to the Piwik 1.1 milestone Jul 8, 2014
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bug For errors / faults / flaws / inconsistencies etc.
Projects
None yet
Development

No branches or pull requests

1 participant