diff --git a/composer.json b/composer.json
index 26c6c8686..cfbe5c3d3 100644
--- a/composer.json
+++ b/composer.json
@@ -12,7 +12,7 @@
"ext-soap": "*",
"combodo/tcpdf": "6.3.2",
"nikic/php-parser": "^3.1",
- "pear/archive_tar": "1.4.7",
+ "pear/archive_tar": "1.4.9",
"pelago/emogrifier": "2.1.0",
"scssphp/scssphp": "1.0.6",
"swiftmailer/swiftmailer": "5.4.12",
diff --git a/composer.lock b/composer.lock
index 39a9594be..75e0c9ae5 100644
--- a/composer.lock
+++ b/composer.lock
@@ -4,7 +4,7 @@
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
"This file is @generated automatically"
],
- "content-hash": "fa67ef7539c664354f726be04d0d044c",
+ "content-hash": "3e413c47265b246174add07c2c91b5e9",
"packages": [
{
"name": "combodo/tcpdf",
@@ -163,16 +163,16 @@
},
{
"name": "pear/archive_tar",
- "version": "1.4.7",
+ "version": "1.4.9",
"source": {
"type": "git",
"url": "https://github.com/pear/Archive_Tar.git",
- "reference": "7e48add6f8edc3027dd98ad15964b1a28fd0c845"
+ "reference": "c5b00053770e1d72128252c62c2c1a12c26639f0"
},
"dist": {
"type": "zip",
- "url": "https://api.github.com/repos/pear/Archive_Tar/zipball/7e48add6f8edc3027dd98ad15964b1a28fd0c845",
- "reference": "7e48add6f8edc3027dd98ad15964b1a28fd0c845",
+ "url": "https://api.github.com/repos/pear/Archive_Tar/zipball/c5b00053770e1d72128252c62c2c1a12c26639f0",
+ "reference": "c5b00053770e1d72128252c62c2c1a12c26639f0",
"shasum": ""
},
"require": {
@@ -225,7 +225,7 @@
"archive",
"tar"
],
- "time": "2019-04-08T13:15:55+00:00"
+ "time": "2019-12-04T10:17:28+00:00"
},
{
"name": "pear/console_getopt",
diff --git a/lib/composer/installed.json b/lib/composer/installed.json
index d0a6a8b68..3a90f17fe 100644
--- a/lib/composer/installed.json
+++ b/lib/composer/installed.json
@@ -162,17 +162,17 @@
},
{
"name": "pear/archive_tar",
- "version": "1.4.7",
- "version_normalized": "1.4.7.0",
+ "version": "1.4.9",
+ "version_normalized": "1.4.9.0",
"source": {
"type": "git",
"url": "https://github.com/pear/Archive_Tar.git",
- "reference": "7e48add6f8edc3027dd98ad15964b1a28fd0c845"
+ "reference": "c5b00053770e1d72128252c62c2c1a12c26639f0"
},
"dist": {
"type": "zip",
- "url": "https://api.github.com/repos/pear/Archive_Tar/zipball/7e48add6f8edc3027dd98ad15964b1a28fd0c845",
- "reference": "7e48add6f8edc3027dd98ad15964b1a28fd0c845",
+ "url": "https://api.github.com/repos/pear/Archive_Tar/zipball/c5b00053770e1d72128252c62c2c1a12c26639f0",
+ "reference": "c5b00053770e1d72128252c62c2c1a12c26639f0",
"shasum": ""
},
"require": {
@@ -187,7 +187,7 @@
"ext-xz": "Lzma2 compression support.",
"ext-zlib": "Gzip compression support."
},
- "time": "2019-04-08T13:15:55+00:00",
+ "time": "2019-12-04T10:17:28+00:00",
"type": "library",
"extra": {
"branch-alias": {
diff --git a/lib/pear/archive_tar/.travis.yml b/lib/pear/archive_tar/.travis.yml
index a0af9f106..b841f4efc 100644
--- a/lib/pear/archive_tar/.travis.yml
+++ b/lib/pear/archive_tar/.travis.yml
@@ -20,9 +20,18 @@ matrix:
dist: trusty
- php: 7.3
dist: trusty
+ - php: 7.4snapshot
+ - php: master
+
+jobs:
+ allow_failures:
+ - php: 7.4snapshot
+ - php: master
+
install:
# - pear upgrade --force --alldeps pear/pear
- pear install -f package.xml
script:
+ - pear version
- pear run-tests -qr tests/
- for i in `find tests/ -name '*.out'`; do echo "$i"; cat "$i"; done
diff --git a/lib/pear/archive_tar/Archive/Tar.php b/lib/pear/archive_tar/Archive/Tar.php
index 53966c255..2f328c227 100644
--- a/lib/pear/archive_tar/Archive/Tar.php
+++ b/lib/pear/archive_tar/Archive/Tar.php
@@ -312,11 +312,12 @@ class Archive_Tar extends PEAR
/**
* @param string $p_path
* @param bool $p_preserve
+ * @param bool $p_symlinks
* @return bool
*/
- public function extract($p_path = '', $p_preserve = false)
+ public function extract($p_path = '', $p_preserve = false, $p_symlinks = true)
{
- return $this->extractModify($p_path, '', $p_preserve);
+ return $this->extractModify($p_path, '', $p_preserve, $p_symlinks);
}
/**
@@ -557,11 +558,12 @@ class Archive_Tar extends PEAR
* removed if present at the beginning of
* the file/dir path.
* @param boolean $p_preserve Preserve user/group ownership of files
+ * @param boolean $p_symlinks Allow symlinks.
*
* @return boolean true on success, false on error.
* @see extractList()
*/
- public function extractModify($p_path, $p_remove_path, $p_preserve = false)
+ public function extractModify($p_path, $p_remove_path, $p_preserve = false, $p_symlinks = true)
{
$v_result = true;
$v_list_detail = array();
@@ -573,7 +575,8 @@ class Archive_Tar extends PEAR
"complete",
0,
$p_remove_path,
- $p_preserve
+ $p_preserve,
+ $p_symlinks
);
$this->_close();
}
@@ -617,11 +620,12 @@ class Archive_Tar extends PEAR
* removed if present at the beginning of
* the file/dir path.
* @param boolean $p_preserve Preserve user/group ownership of files
+ * @param boolean $p_symlinks Allow symlinks.
*
* @return true on success, false on error.
* @see extractModify()
*/
- public function extractList($p_filelist, $p_path = '', $p_remove_path = '', $p_preserve = false)
+ public function extractList($p_filelist, $p_path = '', $p_remove_path = '', $p_preserve = false, $p_symlinks = true)
{
$v_result = true;
$v_list_detail = array();
@@ -642,7 +646,8 @@ class Archive_Tar extends PEAR
"partial",
$v_list,
$p_remove_path,
- $p_preserve
+ $p_preserve,
+ $p_symlinks
);
$this->_close();
}
@@ -1692,7 +1697,16 @@ class Archive_Tar extends PEAR
}
// ----- Extract the checksum
- $v_header['checksum'] = OctDec(trim($v_data['checksum']));
+ $v_data_checksum = trim($v_data['checksum']);
+ if (!preg_match('/^[0-7]*$/', $v_data_checksum)) {
+ $this->_error(
+ 'Invalid checksum for file "' . $v_data['filename']
+ . '" : ' . $v_data_checksum . ' extracted'
+ );
+ return false;
+ }
+
+ $v_header['checksum'] = OctDec($v_data_checksum);
if ($v_header['checksum'] != $v_checksum) {
$v_header['filename'] = '';
@@ -1908,6 +1922,7 @@ class Archive_Tar extends PEAR
* @param string $p_file_list
* @param string $p_remove_path
* @param bool $p_preserve
+ * @param bool $p_symlinks
* @return bool
*/
public function _extractList(
@@ -1916,7 +1931,8 @@ class Archive_Tar extends PEAR
$p_mode,
$p_file_list,
$p_remove_path,
- $p_preserve = false
+ $p_preserve = false,
+ $p_symlinks = true
)
{
$v_result = true;
@@ -2099,6 +2115,13 @@ class Archive_Tar extends PEAR
}
}
} elseif ($v_header['typeflag'] == "2") {
+ if (!$p_symlinks) {
+ $this->_warning('Symbolic links are not allowed. '
+ . 'Unable to extract {'
+ . $v_header['filename'] . '}'
+ );
+ return false;
+ }
if (@file_exists($v_header['filename'])) {
@unlink($v_header['filename']);
}
diff --git a/lib/pear/archive_tar/package.xml b/lib/pear/archive_tar/package.xml
index 3e3448a95..683493951 100644
--- a/lib/pear/archive_tar/package.xml
+++ b/lib/pear/archive_tar/package.xml
@@ -32,10 +32,10 @@ Also Lzma2 compressed archives are supported with xz extension.
stig@php.net
no
- 2019-04-08
-
+ 2019-12-04
+
- 1.4.7
+ 1.4.9
1.4.0
@@ -44,7 +44,7 @@ Also Lzma2 compressed archives are supported with xz extension.
New BSD License
-* Improved performance by increasing read buffer size
+* Implement Feature #23861: Add option to disallow symlinks [mrook]
@@ -74,6 +74,36 @@ Also Lzma2 compressed archives are supported with xz extension.
+
+
+ 1.4.8
+ 1.4.0
+
+
+ stable
+ stable
+
+ 2019-10-21
+ New BSD License
+
+* Fix Bug #23852: PHP 7.4 - Archive_Tar->_readHeader throws deprecation [mrook]
+
+
+
+
+ 1.4.7
+ 1.4.0
+
+
+ stable
+ stable
+
+ 2019-04-08
+ New BSD License
+
+* Improved performance by increasing read buffer size
+
+
1.4.6