Skip to content

Commit a85d230

Browse files
committed
MC-34749: Improve zip archive filename validation
1 parent 6627596 commit a85d230

File tree

1 file changed

+15
-2
lines changed
  • lib/internal/Magento/Framework/Archive

1 file changed

+15
-2
lines changed

lib/internal/Magento/Framework/Archive/Zip.php

Lines changed: 15 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -53,8 +53,9 @@ public function unpack($source, $destination)
5353
{
5454
$zip = new \ZipArchive();
5555
if ($zip->open($source) === true) {
56-
$zip->renameIndex(0, basename($destination));
57-
$filename = $zip->getNameIndex(0) ?: '';
56+
$baseName = basename($destination);
57+
$filename = $this->getFilenameFromZip($zip, $baseName);
58+
5859
if ($filename) {
5960
$zip->extractTo(dirname($destination), $filename);
6061
} else {
@@ -67,4 +68,16 @@ public function unpack($source, $destination)
6768

6869
return $destination;
6970
}
71+
72+
private function getFilenameFromZip(\ZipArchive $zip, string $baseName): string
73+
{
74+
$index = 0;
75+
76+
do {
77+
$filename = $zip->getNameIndex($index);
78+
$index++;
79+
} while ($baseName !== $filename && $filename !== false);
80+
81+
return $filename === $baseName ? $filename : '';
82+
}
7083
}

0 commit comments

Comments
 (0)