composer/iTop
6
0
Fork 0
mirror of https://github.com/Combodo/iTop.git synced 2026-02-13 07:24:13 +01:00
Code Issues Packages Projects Releases Wiki Activity

⬆️ N°3973 Update update pear/archive_tar

Browse Source
This commit is contained in:
Pierre Goiffon
2021-06-08 18:16:12 +02:00
parent 2d2a6857de
commit a076792e77
17 changed files with 4094 additions and 2681 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
lib/pear/archive_tar/.github/FUNDING.yml vendored Normal file
View File

@@ -0,0 +1,2 @@
github: [mrook]
patreon: michielrook

11
lib/pear/archive_tar/.github/dependabot.yml vendored Normal file
View File

@@ -0,0 +1,11 @@
# To get started with Dependabot version updates, you'll need to specify which
# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
version: 2
updates:
- package-ecosystem: "composer" # See documentation for possible values
directory: "/" # Location of package manifests
schedule:
interval: "daily"

40
lib/pear/archive_tar/.github/workflows/build.yml vendored Normal file
View File

@@ -0,0 +1,40 @@
on:
push:
branches:
- master
pull_request:
jobs:
test:
runs-on: ${{ matrix.operating-system }}
strategy:
fail-fast: false
matrix:
operating-system: [ ubuntu-latest ]
php: [ '5.4', '5.5', '5.6', '7.0', '7.1', '7.2', '7.3', '7.4', '8.0' ]
dependencies: [ 'locked' ]
name: PHP ${{ matrix.php }} on ${{ matrix.operating-system }} with ${{ matrix.dependencies }} dependencies
steps:
- uses: actions/checkout@v2
name: Checkout repository
- name: Setup PHP
uses: shivammathur/setup-php@v2
with:
php-version: ${{ matrix.php }}
- uses: ramsey/composer-install@v1
with:
dependency-versions: ${{ matrix.dependencies }}
- name: Install PEAR
run: |
sudo apt-get install php-pear
- name: Run tests
run: |
sudo pear install -f package.xml
pear version
pear run-tests -qr tests/ || { cat run-tests.log; for i in `find tests/ -name '*.out'`; do echo "$i"; cat "$i"; done; exit 1; }

50
lib/pear/archive_tar/Archive/Tar.php
View File

@@ -257,7 +257,7 @@ class Archive_Tar extends PEAR
{
$this->_close();
// ----- Look for a local copy to delete
if ($this->_temp_tarname != '') {
if ($this->_temp_tarname != '' && (bool) preg_match('/^tar[[:alnum:]]*\.tmp$/', $this->_temp_tarname)) {
@unlink($this->_temp_tarname);
}
}
@@ -1397,16 +1397,20 @@ class Archive_Tar extends PEAR
$v_magic = 'ustar ';
$v_version = ' ';
$v_uname = '';
$v_gname = '';
if (function_exists('posix_getpwuid')) {
$userinfo = posix_getpwuid($v_info[4]);
$groupinfo = posix_getgrgid($v_info[5]);
$v_uname = $userinfo['name'];
$v_gname = $groupinfo['name'];
} else {
$v_uname = '';
$v_gname = '';
if (isset($userinfo['name'])) {
$v_uname = $userinfo['name'];
}
if (isset($groupinfo['name'])) {
$v_gname = $groupinfo['name'];
}
}
$v_devmajor = '';
@@ -1730,7 +1734,7 @@ class Archive_Tar extends PEAR
// ----- Extract the properties
$v_header['filename'] = rtrim($v_data['filename'], "\0");
if ($this->_maliciousFilename($v_header['filename'])) {
if ($this->_isMaliciousFilename($v_header['filename'])) {
$this->_error(
'Malicious .tar detected, file "' . $v_header['filename'] .
'" will not install in desired directory tree'
@@ -1800,9 +1804,9 @@ class Archive_Tar extends PEAR
*
* @return bool
*/
private function _maliciousFilename($file)
private function _isMaliciousFilename($file)
{
if (strpos($file, 'phar://') === 0) {
if (strpos($file, '://') !== false) {
return true;
}
if (strpos($file, '../') !== false || strpos($file, '..\\') !== false) {
@@ -1838,7 +1842,7 @@ class Archive_Tar extends PEAR
$v_filename = rtrim(substr($v_filename, 0, $v_filesize), "\0");
$v_header['filename'] = $v_filename;
if ($this->_maliciousFilename($v_filename)) {
if ($this->_isMaliciousFilename($v_filename)) {
$this->_error(
'Malicious .tar detected, file "' . $v_filename .
'" will not install in desired directory tree'
@@ -2120,6 +2124,32 @@ class Archive_Tar extends PEAR
}
}
} elseif ($v_header['typeflag'] == "2") {
$link_depth = 0;
foreach (explode("/", $v_header['filename']) as $dir) {
if ($dir === "..") {
$link_depth--;
} elseif ($dir !== "" && $dir !== "." ) {
$link_depth++;
}
}
foreach (explode("/", $v_header['link']) as $dir){
if ($link_depth <= 0) {
break;
}
if ($dir === "..") {
$link_depth--;
} elseif ($dir !== "" && $dir !== ".") {
$link_depth++;
}
}
if (strpos($v_header['link'], "/") === 0 or $link_depth <= 0) {
$this->_error(
'Out-of-path file extraction {'
. $v_header['filename'] . ' --> ' .
$v_header['link'] . '}'
);
return false;
}
if (!$p_symlinks) {
$this->_warning('Symbolic links are not allowed. '
. 'Unable to extract {'

2
lib/pear/archive_tar/README.md
View File

@@ -1,7 +1,7 @@
Archive_Tar
==========
[![Build Status](https://secure.travis-ci.org/pear/Archive_Tar.png?branch=master)](https://travis-ci.org/pear/Archive_Tar)
![.github/workflows/build.yml](https://github.com/pear/Archive_Tar/workflows/.github/workflows/build.yml/badge.svg)
This package provides handling of tar files in PHP.
It supports creating, listing, extracting and adding to tar files.

55
lib/pear/archive_tar/package.xml
View File

@@ -32,10 +32,10 @@ Also Lzma2 compressed archives are supported with xz extension.</description>
<email>stig@php.net</email>
<active>no</active>
</helper>
<date>2020-09-15</date>
<time>14:03:45</time>
<date>2021-02-16</date>
<time>10:49:28</time>
<version>
<release>1.4.10</release>
<release>1.4.13</release>
<api>1.4.0</api>
</version>
<stability>
@@ -44,8 +44,7 @@ Also Lzma2 compressed archives are supported with xz extension.</description>
</stability>
<license uri="http://www.opensource.org/licenses/bsd-license.php">New BSD License</license>
<notes>
* Fix block padding when the file buffer length is a multiple of 512 and smaller than Archive_Tar buffer length
* Don't try to copy username/groupname in chroot jail
* Fix Bug #27010: Relative symlinks failing (out-of path file extraction) [mrook]
</notes>
<contents>
<dir name="/">
@@ -75,6 +74,52 @@ Also Lzma2 compressed archives are supported with xz extension.</description>
</dependencies>
<phprelease />
<changelog>
<release>
<version>
<release>1.4.12</release>
<api>1.4.0</api>
</version>
<stability>
<release>stable</release>
<api>stable</api>
</stability>
<date>2021-01-18</date>
<license uri="http://www.opensource.org/licenses/bsd-license.php">New BSD License</license>
<notes>
* Fix Bug #27008: Symlink out-of-path write vulnerability (CVE-2020-36193) [mrook]
</notes>
</release>
<release>
<version>
<release>1.4.11</release>
<api>1.4.0</api>
</version>
<stability>
<release>stable</release>
<api>stable</api>
</stability>
<date>2020-11-19</date>
<license uri="http://www.opensource.org/licenses/bsd-license.php">New BSD License</license>
<notes>
* Fix Bug #27002: Filename manipulation vulnerabilities (CVE-2020-28948 / CVE-2020-28949) [mrook]
</notes>
</release>
<release>
<version>
<release>1.4.10</release>
<api>1.4.0</api>
</version>
<stability>
<release>stable</release>
<api>stable</api>
</stability>
<date>2020-09-15</date>
<license uri="http://www.opensource.org/licenses/bsd-license.php">New BSD License</license>
<notes>
* Fix block padding when the file buffer length is a multiple of 512 and smaller than Archive_Tar buffer length
* Don&apos;t try to copy username/groupname in chroot jail
</notes>
</release>
<release>
<version>
<release>1.4.9</release>