File: 0004-Don-t-allow-filenames-to-start-with-phar.patch

package info (click to toggle)
php-pear 1%3A1.10.1%2Bsubmodules%2Bnotgz-9%2Bdeb9u1
  • links: PTS, VCS
  • area: main
  • in suites: stretch
  • size: 18,600 kB
  • sloc: php: 51,665; ansic: 38,629; xml: 32,572; yacc: 677; pascal: 452; makefile: 122; sh: 116
file content (23 lines) | stat: -rw-r--r-- 813 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
 
From: Michiel Rook <mrook@php.net>
Date: Thu, 20 Dec 2018 19:11:37 +0100
Subject: Don't allow filenames to start with phar://
Origin: https://github.com/pear/Archive_Tar/commit/59ace120ac5ceb5f0d36e40e48e1884de1badf76
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-1000888
Bug-Debian: https://bugs.debian.org/919147
Bug: https://pear.php.net/bugs/bug.php?id=23782

---

index 0bd1c6caae99..57a6d87f5b16 100644
--- a/submodules/Archive_Tar/Archive/Tar.php
+++ b/submodules/Archive_Tar/Archive/Tar.php
@@ -1767,6 +1767,9 @@ class Archive_Tar extends PEAR
      */
     private function _maliciousFilename($file)
     {
+        if (strpos($file, 'phar://') === 0) {
+            return true;
+        }
         if (strpos($file, '/../') !== false) {
             return true;
         }