Skip to content
This repository was archived by the owner on Feb 25, 2020. It is now read-only.

Commit d15207e

Browse files
Prevent Zip Traversal Attacks (#156)
Checks for special characters within filenames within a ZIP file using strpos comparison
1 parent aa42817 commit d15207e

File tree

1 file changed

+5
-0
lines changed

1 file changed

+5
-0
lines changed

src/Chumper/Zipper/Zipper.php

+5
Original file line numberDiff line numberDiff line change
@@ -613,6 +613,11 @@ private function extractFilesInternal($path, callable $matchingMethod)
613613
private function extractOneFileInternal($fileName, $path)
614614
{
615615
$tmpPath = str_replace($this->getInternalPath(), '', $fileName);
616+
617+
//Prevent Zip traversal attacks
618+
if (strpos($fileName, '../') !== false || strpos($fileName, '..\\') !== false) {
619+
throw new \RuntimeException('Special characters found within filenames');
620+
}
616621

617622
// We need to create the directory first in case it doesn't exist
618623
$dir = pathinfo($path.DIRECTORY_SEPARATOR.$tmpPath, PATHINFO_DIRNAME);

0 commit comments

Comments
 (0)