From bc2f830ab7e2353dc190835446e0b35847755963 Mon Sep 17 00:00:00 2001 From: Surillya Date: Fri, 20 Jun 2025 23:01:48 +0200 Subject: [PATCH] Removed directory-crossing restriction, since it seemed overly agressive --- pkg.php | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/pkg.php b/pkg.php index 3f43456..1d78bd7 100644 --- a/pkg.php +++ b/pkg.php @@ -28,21 +28,17 @@ function validateManifest(array $manifest): array { function installPackage(string $zipPath, string $appsDir): bool { if (!file_exists($zipPath)) { die("Error: ZIP file does not exist."); - return false; } $zip = new ZipArchive(); if ($zip->open($zipPath) !== true) { die("Error: Unable to open ZIP file."); - return false; } // Check for manifest.json at root of ZIP $manifestIndex = $zip->locateName('manifest.json', ZipArchive::FL_NODIR); if ($manifestIndex === false) { die("Error: manifest.json not found in ZIP root."); - $zip->close(); - return false; } // Read and decode manifest.json @@ -51,8 +47,6 @@ function installPackage(string $zipPath, string $appsDir): bool { if (!$manifest) { die("Error: manifest.json contains invalid JSON."); - $zip->close(); - return false; } // Validate manifest fields @@ -87,11 +81,11 @@ function installPackage(string $zipPath, string $appsDir): bool { $filename = $stat['name']; // Security check: prevent path traversal - if (strpos($filename, '..') !== false) { - echo "Error: ZIP contains invalid filename (path traversal): $filename\n"; - $zip->close(); - return false; - } + // if (strpos($filename, '..') !== false) { + // echo "Error: ZIP contains invalid filename (path traversal): $filename\n"; + // $zip->close(); + // return false; + // } // Extract file content $content = $zip->getFromIndex($i);