diff --git a/composer.json b/composer.json
index 37875be8f..cc2590e61 100644
--- a/composer.json
+++ b/composer.json
@@ -29,7 +29,7 @@
"nikic/php-parser": "^4.2",
"patchwork/jsqueeze": "^2.0",
"patchwork/utf8": "1.3.1",
- "pear/archive_tar": "1.4.8",
+ "pear/archive_tar": "1.4.11",
"pear/pear-core-minimal": "^v1.10",
"phpseclib/phpseclib": "2.0.23",
"php-opencloud/openstack": "3.0.6",
diff --git a/composer.lock b/composer.lock
index eaa45d33a..1a3487ec2 100644
--- a/composer.lock
+++ b/composer.lock
@@ -4,7 +4,7 @@
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
"This file is @generated automatically"
],
- "content-hash": "3fd6c147656a9ff308546b1f30171f3f",
+ "content-hash": "e462b12fe8a04abe17a822e55e71116c",
"packages": [
{
"name": "aws/aws-sdk-php",
@@ -993,6 +993,7 @@
"keywords": [
"reflection"
],
+ "abandoned": "roave/better-reflection",
"time": "2018-06-14T14:45:07+00:00"
},
{
@@ -1285,6 +1286,7 @@
}
],
"description": "Provides a simple API and specification that abstracts away the details of HTTP into a single PHP function.",
+ "abandoned": true,
"time": "2015-05-20T03:37:09+00:00"
},
{
@@ -1335,6 +1337,7 @@
"Guzzle",
"stream"
],
+ "abandoned": true,
"time": "2014-10-12T19:18:40+00:00"
},
{
@@ -1473,7 +1476,7 @@
"time": "2015-08-01T16:27:37+00:00"
},
{
- "name": "jeremeamia/SuperClosure",
+ "name": "jeremeamia/superclosure",
"version": "2.4.0",
"source": {
"type": "git",
@@ -1528,6 +1531,7 @@
"serialize",
"tokenizer"
],
+ "abandoned": "opis/closure",
"time": "2018-03-21T22:21:57+00:00"
},
{
@@ -1646,6 +1650,7 @@
"scss",
"stylesheet"
],
+ "abandoned": "scssphp/scssphp",
"time": "2018-07-22T01:22:08+00:00"
},
{
@@ -1970,6 +1975,7 @@
"javascript",
"minification"
],
+ "abandoned": true,
"time": "2016-04-19T09:28:22+00:00"
},
{
@@ -2033,16 +2039,16 @@
},
{
"name": "pear/archive_tar",
- "version": "1.4.8",
+ "version": "1.4.11",
"source": {
"type": "git",
"url": "https://github.com/pear/Archive_Tar.git",
- "reference": "442bdffb7edb84c898cfd94f7ac8500e49d5bbb5"
+ "reference": "17d355cb7d3c4ff08e5729f29cd7660145208d9d"
},
"dist": {
"type": "zip",
- "url": "https://api.github.com/repos/pear/Archive_Tar/zipball/442bdffb7edb84c898cfd94f7ac8500e49d5bbb5",
- "reference": "442bdffb7edb84c898cfd94f7ac8500e49d5bbb5",
+ "url": "https://api.github.com/repos/pear/Archive_Tar/zipball/17d355cb7d3c4ff08e5729f29cd7660145208d9d",
+ "reference": "17d355cb7d3c4ff08e5729f29cd7660145208d9d",
"shasum": ""
},
"require": {
@@ -2095,7 +2101,7 @@
"archive",
"tar"
],
- "time": "2019-10-21T13:31:24+00:00"
+ "time": "2020-11-19T22:10:24+00:00"
},
{
"name": "pear/console_getopt",
@@ -4190,5 +4196,6 @@
"platform-dev": [],
"platform-overrides": {
"php": "7.2.0"
- }
+ },
+ "plugin-api-version": "1.1.0"
}
diff --git a/composer/ClassLoader.php b/composer/ClassLoader.php
index fce8549f0..03b9bb9c4 100644
--- a/composer/ClassLoader.php
+++ b/composer/ClassLoader.php
@@ -60,7 +60,7 @@ class ClassLoader
public function getPrefixes()
{
if (!empty($this->prefixesPsr0)) {
- return call_user_func_array('array_merge', $this->prefixesPsr0);
+ return call_user_func_array('array_merge', array_values($this->prefixesPsr0));
}
return array();
diff --git a/composer/autoload_real.php b/composer/autoload_real.php
index 72e1b9c01..d61ab2a1d 100644
--- a/composer/autoload_real.php
+++ b/composer/autoload_real.php
@@ -13,6 +13,9 @@ public static function loadClassLoader($class)
}
}
+ /**
+ * @return \Composer\Autoload\ClassLoader
+ */
public static function getLoader()
{
if (null !== self::$loader) {
diff --git a/composer/installed.json b/composer/installed.json
index 404e8f614..ec212a9ef 100644
--- a/composer/installed.json
+++ b/composer/installed.json
@@ -2094,17 +2094,17 @@
},
{
"name": "pear/archive_tar",
- "version": "1.4.8",
- "version_normalized": "1.4.8.0",
+ "version": "1.4.11",
+ "version_normalized": "1.4.11.0",
"source": {
"type": "git",
"url": "https://github.com/pear/Archive_Tar.git",
- "reference": "442bdffb7edb84c898cfd94f7ac8500e49d5bbb5"
+ "reference": "17d355cb7d3c4ff08e5729f29cd7660145208d9d"
},
"dist": {
"type": "zip",
- "url": "https://api.github.com/repos/pear/Archive_Tar/zipball/442bdffb7edb84c898cfd94f7ac8500e49d5bbb5",
- "reference": "442bdffb7edb84c898cfd94f7ac8500e49d5bbb5",
+ "url": "https://api.github.com/repos/pear/Archive_Tar/zipball/17d355cb7d3c4ff08e5729f29cd7660145208d9d",
+ "reference": "17d355cb7d3c4ff08e5729f29cd7660145208d9d",
"shasum": ""
},
"require": {
@@ -2119,7 +2119,7 @@
"ext-xz": "Lzma2 compression support.",
"ext-zlib": "Gzip compression support."
},
- "time": "2019-10-21T13:31:24+00:00",
+ "time": "2020-11-19T22:10:24+00:00",
"type": "library",
"extra": {
"branch-alias": {
diff --git a/pear/archive_tar/.gitignore b/pear/archive_tar/.gitignore
index c32ccd7cc..c703991e8 100644
--- a/pear/archive_tar/.gitignore
+++ b/pear/archive_tar/.gitignore
@@ -8,3 +8,8 @@ vendor
.buildpath
.project
.settings
+# pear
+.tarballs
+*.tgz
+# phpunit
+build
diff --git a/pear/archive_tar/Archive/Tar.php b/pear/archive_tar/Archive/Tar.php
index 3ef278aa9..92710741c 100644
--- a/pear/archive_tar/Archive/Tar.php
+++ b/pear/archive_tar/Archive/Tar.php
@@ -312,11 +312,12 @@ public function add($p_filelist)
/**
* @param string $p_path
* @param bool $p_preserve
+ * @param bool $p_symlinks
* @return bool
*/
- public function extract($p_path = '', $p_preserve = false)
+ public function extract($p_path = '', $p_preserve = false, $p_symlinks = true)
{
- return $this->extractModify($p_path, '', $p_preserve);
+ return $this->extractModify($p_path, '', $p_preserve, $p_symlinks);
}
/**
@@ -557,11 +558,12 @@ public function addString($p_filename, $p_string, $p_datetime = false, $p_params
* removed if present at the beginning of
* the file/dir path.
* @param boolean $p_preserve Preserve user/group ownership of files
+ * @param boolean $p_symlinks Allow symlinks.
*
* @return boolean true on success, false on error.
* @see extractList()
*/
- public function extractModify($p_path, $p_remove_path, $p_preserve = false)
+ public function extractModify($p_path, $p_remove_path, $p_preserve = false, $p_symlinks = true)
{
$v_result = true;
$v_list_detail = array();
@@ -573,7 +575,8 @@ public function extractModify($p_path, $p_remove_path, $p_preserve = false)
"complete",
0,
$p_remove_path,
- $p_preserve
+ $p_preserve,
+ $p_symlinks
);
$this->_close();
}
@@ -617,11 +620,12 @@ public function extractInString($p_filename)
* removed if present at the beginning of
* the file/dir path.
* @param boolean $p_preserve Preserve user/group ownership of files
+ * @param boolean $p_symlinks Allow symlinks.
*
* @return true on success, false on error.
* @see extractModify()
*/
- public function extractList($p_filelist, $p_path = '', $p_remove_path = '', $p_preserve = false)
+ public function extractList($p_filelist, $p_path = '', $p_remove_path = '', $p_preserve = false, $p_symlinks = true)
{
$v_result = true;
$v_list_detail = array();
@@ -642,7 +646,8 @@ public function extractList($p_filelist, $p_path = '', $p_remove_path = '', $p_p
"partial",
$v_list,
$p_remove_path,
- $p_preserve
+ $p_preserve,
+ $p_symlinks
);
$this->_close();
}
@@ -726,7 +731,7 @@ public function setIgnoreRegexp($regexp)
*/
public function setIgnoreList($list)
{
- $regexp = str_replace(array('#', '.', '^', '$'), array('\#', '\.', '\^', '\$'), $list);
+ $list = str_replace(array('#', '.', '^', '$'), array('\#', '\.', '\^', '\$'), $list);
$regexp = '#/' . join('$|/', $list) . '#';
$this->setIgnoreRegexp($regexp);
}
@@ -1268,7 +1273,7 @@ public function _addFile($p_filename, &$p_header, $p_add_dir, $p_remove_dir, $v_
while (($v_buffer = fread($v_file, $this->buffer_length)) != '') {
$buffer_length = strlen("$v_buffer");
if ($buffer_length != $this->buffer_length) {
- $pack_size = ((int)($buffer_length / 512) + 1) * 512;
+ $pack_size = ((int)($buffer_length / 512) + ($buffer_length % 512 !== 0 ? 1 : 0)) * 512;
$pack_format = sprintf('a%d', $pack_size);
} else {
$pack_format = sprintf('a%d', $this->buffer_length);
@@ -1510,8 +1515,13 @@ public function _writeHeaderBlock(
$userinfo = posix_getpwuid($p_uid);
$groupinfo = posix_getgrgid($p_gid);
- $v_uname = $userinfo['name'];
- $v_gname = $groupinfo['name'];
+ if ($userinfo === false || $groupinfo === false) {
+ $v_uname = '';
+ $v_gname = '';
+ } else {
+ $v_uname = $userinfo['name'];
+ $v_gname = $groupinfo['name'];
+ }
} else {
$v_uname = '';
$v_gname = '';
@@ -1720,7 +1730,7 @@ public function _readHeader($v_binary_data, &$v_header)
// ----- Extract the properties
$v_header['filename'] = rtrim($v_data['filename'], "\0");
- if ($this->_maliciousFilename($v_header['filename'])) {
+ if ($this->_isMaliciousFilename($v_header['filename'])) {
$this->_error(
'Malicious .tar detected, file "' . $v_header['filename'] .
'" will not install in desired directory tree'
@@ -1790,9 +1800,9 @@ private function _tarRecToSize($tar_size)
*
* @return bool
*/
- private function _maliciousFilename($file)
+ private function _isMaliciousFilename($file)
{
- if (strpos($file, 'phar://') === 0) {
+ if (strpos($file, '://') !== false) {
return true;
}
if (strpos($file, '../') !== false || strpos($file, '..\\') !== false) {
@@ -1828,7 +1838,7 @@ public function _readLongHeader(&$v_header)
$v_filename = rtrim(substr($v_filename, 0, $v_filesize), "\0");
$v_header['filename'] = $v_filename;
- if ($this->_maliciousFilename($v_filename)) {
+ if ($this->_isMaliciousFilename($v_filename)) {
$this->_error(
'Malicious .tar detected, file "' . $v_filename .
'" will not install in desired directory tree'
@@ -1917,6 +1927,7 @@ private function _extractInString($p_filename)
* @param string $p_file_list
* @param string $p_remove_path
* @param bool $p_preserve
+ * @param bool $p_symlinks
* @return bool
*/
public function _extractList(
@@ -1925,7 +1936,8 @@ public function _extractList(
$p_mode,
$p_file_list,
$p_remove_path,
- $p_preserve = false
+ $p_preserve = false,
+ $p_symlinks = true
)
{
$v_result = true;
@@ -2108,6 +2120,13 @@ public function _extractList(
}
}
} elseif ($v_header['typeflag'] == "2") {
+ if (!$p_symlinks) {
+ $this->_warning('Symbolic links are not allowed. '
+ . 'Unable to extract {'
+ . $v_header['filename'] . '}'
+ );
+ return false;
+ }
if (@file_exists($v_header['filename'])) {
@unlink($v_header['filename']);
}
diff --git a/pear/archive_tar/package.xml b/pear/archive_tar/package.xml
index de55e5dc4..6edf4fd10 100644
--- a/pear/archive_tar/package.xml
+++ b/pear/archive_tar/package.xml
@@ -32,10 +32,10 @@ Also Lzma2 compressed archives are supported with xz extension.
stig@php.net
no
- 2019-10-21
-
+ 2020-11-19
+
- 1.4.8
+ 1.4.11
1.4.0
@@ -44,7 +44,8 @@ Also Lzma2 compressed archives are supported with xz extension.
New BSD License
-* Fix Bug #23852: PHP 7.4 - Archive_Tar->_readHeader throws deprecation [mrook]
+* Fix Bug #27002: Filename manipulation vulnerabilities (CVE-2020-28948 /
+ CVE-2020-28949) [mrook]
@@ -74,6 +75,52 @@ Also Lzma2 compressed archives are supported with xz extension.
+
+
+ 1.4.10
+ 1.4.0
+
+
+ stable
+ stable
+
+ 2020-09-15
+ New BSD License
+
+ * Fix block padding when the file buffer length is a multiple of 512 and smaller than Archive_Tar buffer length
+ * Don't try to copy username/groupname in chroot jail
+
+
+
+
+ 1.4.9
+ 1.4.0
+
+
+ stable
+ stable
+
+ 2019-12-04
+ New BSD License
+
+* Implement Feature #23861: Add option to disallow symlinks [mrook]
+
+
+
+
+ 1.4.8
+ 1.4.0
+
+
+ stable
+ stable
+
+ 2019-10-21
+ New BSD License
+
+* Fix Bug #23852: PHP 7.4 - Archive_Tar->_readHeader throws deprecation [mrook]
+
+
1.4.7