Prevent Zip Traversal Attacks (#156)

snoopysecurity · web-flow · commit d15207e010f8 · 2020-02-25T12:57:40.000+01:00
Checks for special characters within filenames within a ZIP file using strpos comparison
diff --git a/src/Chumper/Zipper/Zipper.php b/src/Chumper/Zipper/Zipper.php
@@ -613,6 +613,11 @@ private function extractFilesInternal($path, callable $matchingMethod)
     private function extractOneFileInternal($fileName, $path)
     {
         $tmpPath = str_replace($this->getInternalPath(), '', $fileName);
+        
+        //Prevent Zip traversal attacks
+        if (strpos($fileName, '../') !== false || strpos($fileName, '..\\') !== false) {
+            throw new \RuntimeException('Special characters found within filenames');
+        }
 
         // We need to create the directory first in case it doesn't exist
         $dir = pathinfo($path.DIRECTORY_SEPARATOR.$tmpPath, PATHINFO_DIRNAME);
