@robocoder opened this Issue on November 12th 2010 Contributor

This directory traversal weakness isn't a security vulnerability in Piwik 1.0 because we don't unzip third-party (inherently untrusted) .zip archives within the app. But if we supply an absolute path to both PCLZIP_OPT_PATH and PCLZIP_OPT_EXTRACT_DIR_RESTRICTION, extract() can create files outside of the target directory if the stored filename contains '../'.

Since we contemplate in-app installation of third-party plugins in the future, we should tighten up our code to serve as a reference implementation.

The PCLZIP_OPT_EXTRACT_DIR_RESTRICTION option -- to restrict to a specified extract basedir -- appears to be incompatible with with the absolute path specified via PCLZIP_OPT_PATH. I've given up on hacking pclzip.lib.php (i.e., fix one thing, introduce new side-effects). Instead, I'll use the PCLZIP_CB_PRE_EXTRACT hook (callback) to examine the target path, and either accept or skip/abort as needed.

@robocoder commented on November 12th 2010 Contributor

(In [3311]) fixes #1812

This Issue was closed on November 28th 2010
Powered by GitHub Issue Mirror