joomla-framework / archive Goto Github PK

Steps to reproduce the issue

https://developer.joomla.org/security-centre/848-20210308-core-path-traversal-within-joomla-archive-zip-class.html

libraries/joomla/archive/zip.php in joomla/joomla-cms@aadf697

Expected result

Issues fixed in the CMS are backported/contributed/coordinated by the JSST with the framework packages

Actual result

Reported Date: 2020-09-08
Fixed Date: 2021-03-02
Todays date 5th March 2021
Framework Still vulnerable...

Steps to reproduce the issue

$archive = new Archive; 
$archive->extract( 'something.ZIP', $this->tmp_directory);

Expected result

Success

Actual result

Unknown archive type: ZIP

System information (as much as possible)

Linux/Apache/Joomla 3.9.3

Additional comments

If renamed to something.zip it works.

First of all checkout https://bugs.php.net/bug.php?id=63195&edit=1
Now if you extract an bzip2 archive with use_stream option enabled then it doesn't extract file. It throws an exception.
On further checking I found out that on second iteration of reading (do-while loop) in Stream::read it got empty string and that caused exception.

Same is the case with gzip archive extraction using streams.

Steps to reproduce the issue

• Install a component, e.g. com_foobar
• Make its directory (administrator/components/com_foobar) read-only
• Try to install an update, or the same version even, from a ZIP file

Expected result

Something along the lines of Cannot write to file /home/example/public_html/administrator/components/com_foobar/foobar.php

Actual result

The useless, if not misleading, error message Unable to write entry

System information (as much as possible)

Irrelevant.

Additional comments

The Joomla! extensions installer simply dumps the message from the RuntimeException you are throwing in the Zip and Tar classes. For example, in the ZIP class you have this code (one of two areas in the class that need to be changed):

				// Make sure the destination folder exists
				if (!Folder::create(dirname($path)))
				{
					throw new \RuntimeException('Unable to create destination');
				}

				if (!File::write($path, $buffer))
				{
					throw new \RuntimeException('Unable to write entry');
				}

These are useless error messages. It'd be better if you did:

				// Make sure the destination folder exists
				if (!Folder::create(dirname($path)))
				{
					throw new \RuntimeException('Unable to create destination folder ' . dirname($path));
				}

				if (!File::write($path, $buffer))
				{
					throw new \RuntimeException('Unable to write to file ' . $path);
				}

It doesn't matter if you are a developer using this class in your own code or an end user. These messages are thrown when there is a filesystem access issue. If you don't know where in the filesystem the issue is you cannot fix it. Moreover, "write entry" means exactly nothing, zero, nada, zilch to someone who ends up seeing this error message. Even worse, there is no indication it's a filesystem issue. The first thing that springs to mind is "database error".

This issue will be referenced in my documentation as Yet Another Joomla! Bug which prevents my clients from installing my extensions while making it impossible for me to support them. I can't help them if there is no indication of whether the problem is Joomla! extracting the extensions from the package ZIP or extracting an extension ZIP to the temporary folder or something else. No useful feedback from Joomla! = bug. Please fix it. I've provided the solution for your convenience.