Surillyacom/THOS-Server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Removed directory-crossing restriction, since it seemed overly agressive

Browse Source
This commit is contained in:
Surillya
2025-06-20 23:01:48 +02:00
parent e79f08530d
commit bc2f830ab7
1 changed files with 5 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
pkg.php
View File

@ -28,21 +28,17 @@ function validateManifest(array $manifest): array {
function installPackage(string $zipPath, string $appsDir): bool { function installPackage(string $zipPath, string $appsDir): bool {
if (!file_exists($zipPath)) { if (!file_exists($zipPath)) {
die("Error: ZIP file does not exist."); die("Error: ZIP file does not exist.");
return false;
} }
$zip = new ZipArchive(); $zip = new ZipArchive();
if ($zip->open($zipPath) !== true) { if ($zip->open($zipPath) !== true) {
die("Error: Unable to open ZIP file."); die("Error: Unable to open ZIP file.");
return false;
} }
// Check for manifest.json at root of ZIP // Check for manifest.json at root of ZIP
$manifestIndex = $zip->locateName('manifest.json', ZipArchive::FL_NODIR); $manifestIndex = $zip->locateName('manifest.json', ZipArchive::FL_NODIR);
if ($manifestIndex === false) { if ($manifestIndex === false) {
die("Error: manifest.json not found in ZIP root."); die("Error: manifest.json not found in ZIP root.");
$zip->close();
return false;
} }
// Read and decode manifest.json // Read and decode manifest.json
@ -51,8 +47,6 @@ function installPackage(string $zipPath, string $appsDir): bool {
if (!$manifest) { if (!$manifest) {
die("Error: manifest.json contains invalid JSON."); die("Error: manifest.json contains invalid JSON.");
$zip->close();
return false;
} }
// Validate manifest fields // Validate manifest fields
@ -87,11 +81,11 @@ function installPackage(string $zipPath, string $appsDir): bool {
$filename = $stat['name']; $filename = $stat['name'];
// Security check: prevent path traversal // Security check: prevent path traversal
if (strpos($filename, '..') !== false) { // if (strpos($filename, '..') !== false) {
echo "Error: ZIP contains invalid filename (path traversal): $filename\n"; // echo "Error: ZIP contains invalid filename (path traversal): $filename\n";
$zip->close(); // $zip->close();
return false; // return false;
} // }
// Extract file content // Extract file content
$content = $zip->getFromIndex($i); $content = $zip->getFromIndex($i);