Patching Zip Traversal within pclzip

AngelFQC · web-flow · commit af10d07a3992 · 2022-09-06T16:41:44.000-05:00
Refs https://snoopysecurity.github.io/application-security/2020/03/01/10_patching_zip_traversal_pclzip.html
diff --git a/pclzip.lib.php b/pclzip.lib.php
@@ -3513,6 +3513,12 @@ public function privExtractFile(&$p_entry, $p_path, $p_remove_path, $p_remove_al
             }
         }
 
+        // Patch for Zip Traversal vulnerability
+        if (strpos($p_entry['stored_filename'], '../') !== false || strpos($p_entry['stored_filename'], '..\\') !== false) {
+            $p_entry['stored_filename'] = basename($p_entry['stored_filename']);
+            $p_entry['filename'] = basename($p_entry['stored_filename']);
+        }
+
         // ----- Add the path
         if ($p_path != '') {
             $p_entry['filename'] = $p_path . "/" . $p_entry['filename'];

Original file line number	Diff line number	Diff line change
`@@ -3513,6 +3513,12 @@ public function privExtractFile(&$p_entry, $p_path, $p_remove_path, $p_remove_al`
`3513`	`3513`	`}`
`3514`	`3514`	`}`
`3515`	`3515`
	`3516`	`+ // Patch for Zip Traversal vulnerability`
	`3517`	`+ if (strpos($p_entry['stored_filename'], '../') !== false \|\| strpos($p_entry['stored_filename'], '..\\') !== false) {`
	`3518`	`+ $p_entry['stored_filename'] = basename($p_entry['stored_filename']);`
	`3519`	`+ $p_entry['filename'] = basename($p_entry['stored_filename']);`
	`3520`	`+ }`
	`3521`	`+`
`3516`	`3522`	`// ----- Add the path`
`3517`	`3523`	`if ($p_path != '') {`
`3518`	`3524`	`$p_entry['filename'] = $p_path . "/" . $p_entry['filename'];`