php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #65414 Injection (A1) in .phar files magic .phar directory
Submitted: 2013-08-07 11:01 UTC Modified: 2018-02-02 02:46 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: hanskrentel at yahoo dot de Assigned: bishop (profile)
Status: Closed Package: PHAR related
PHP Version: 5.4.17 OS:
Private report: No CVE-ID: None
View Developer Edit
 [2013-08-07 11:01 UTC] hanskrentel at yahoo dot de 
Description:
------------
The checks to add files or strings as files to a .phar file into the magic .phar directory do not prevent creating files within that directory.

This is because those checks (at different places) do not check if the path is actually into that .phar directory or not.

The filename (pathname) is not normalized prior the access check.

This allows to easily circumvent the access control and create files therein.

I run over this while reviewing Bug #64931 and the workaround there is the exploit here (pre-fixing the filename (pathname)).

Test script:
---------------
<?php

$phar = new \Phar("foo.phar", 0, "foo.phar");

$phar->addFromString('/.phar/how-unicorns-shit_-_the-complete-guide.txt', "

     How Unicorns Shit
           ---
     The Complete Guide

It's all based on the color magic
of the rainbow. You know, even
unicorns just cook with water.

Just heat some water until it
boils and the steam gets up
into the sunlight. With some
luck you will see a rainbow.

Just try with the right amount of
steam and the right amount of
light and the right angle to
watch into.");

var_dump(file_get_contents('phar://' . __DIR__ . '/foo.phar/.phar/how-unicorns-shit_-_the-complete-guide.txt'));

Expected result:
----------------
Fatal error: Uncaught exception 'BadMethodCallException' with message 'Cannot create any files in magic ".phar" directory' 

Actual result:
--------------
string(383) "

     How Unicorns Shit
           ---
     The Complete Guide

It's all based on the color magic
of the rainbow. You know, even
unicorns just cook with water.

Just heat some water until it
boils and the steam gets up
into the sunlight. With some
luck you will see a rainbow.

Just try with the right amount of
steam and the right amount of
light and the right angle to
watch into."

Patches

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-08-07 11:02 UTC] hanskrentel at yahoo dot de 
Related To: Bug #64931
 [2016-10-30 22:07 UTC] [email protected]
-Type: Security +Type: Bug
 [2016-10-30 22:07 UTC] [email protected] 
Doesn't look to me like a security issue.
 [2018-02-02 02:46 UTC] [email protected]
-Status: Open +Status: Verified -Assigned To: +Assigned To: bishop
 [2018-02-08 09:34 UTC] [email protected] 
Automatic comment on behalf of [email protected]
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d806d0315f96806ff79fcb87e22adfe7a5ca3cf9
Log: Fixed bug #65414
 [2018-02-08 09:34 UTC] [email protected]
-Status: Verified +Status: Closed
 [2018-02-08 09:34 UTC] [email protected] 
Automatic comment on behalf of [email protected]
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4765ba7dc3fbae657288ae1095f111a136746cde
Log: Fixed bug #65414
 
PHP Copyright © 2001-2026 The PHP Group
All rights reserved. 		Last updated: Tue Mar 17 10:00:01 2026 UTC