MC-34749: Improve zip archive filename validation

StasKozar · StasKozar · commit a85d23075283 · 2020-06-02T15:58:18.000+03:00
diff --git a/lib/internal/Magento/Framework/Archive/Zip.php b/lib/internal/Magento/Framework/Archive/Zip.php
@@ -53,8 +53,9 @@ public function unpack($source, $destination)
     {
         $zip = new \ZipArchive();
         if ($zip->open($source) === true) {
-            $zip->renameIndex(0, basename($destination));
-            $filename = $zip->getNameIndex(0) ?: '';
+            $baseName = basename($destination);
+            $filename = $this->getFilenameFromZip($zip, $baseName);
+
             if ($filename) {
                 $zip->extractTo(dirname($destination), $filename);
             } else {
@@ -67,4 +68,16 @@ public function unpack($source, $destination)
 
         return $destination;
     }
+
+    private function getFilenameFromZip(\ZipArchive $zip, string $baseName): string
+    {
+        $index = 0;
+
+        do {
+            $filename = $zip->getNameIndex($index);
+            $index++;
+        } while ($baseName !== $filename && $filename !== false);
+
+        return $filename === $baseName ? $filename : '';
+    }
 }
