Removed directory-crossing restriction, since it seemed overly agressive
This commit is contained in:
16
pkg.php
16
pkg.php
@ -28,21 +28,17 @@ function validateManifest(array $manifest): array {
|
||||
function installPackage(string $zipPath, string $appsDir): bool {
|
||||
if (!file_exists($zipPath)) {
|
||||
die("Error: ZIP file does not exist.");
|
||||
return false;
|
||||
}
|
||||
|
||||
$zip = new ZipArchive();
|
||||
if ($zip->open($zipPath) !== true) {
|
||||
die("Error: Unable to open ZIP file.");
|
||||
return false;
|
||||
}
|
||||
|
||||
// Check for manifest.json at root of ZIP
|
||||
$manifestIndex = $zip->locateName('manifest.json', ZipArchive::FL_NODIR);
|
||||
if ($manifestIndex === false) {
|
||||
die("Error: manifest.json not found in ZIP root.");
|
||||
$zip->close();
|
||||
return false;
|
||||
}
|
||||
|
||||
// Read and decode manifest.json
|
||||
@ -51,8 +47,6 @@ function installPackage(string $zipPath, string $appsDir): bool {
|
||||
|
||||
if (!$manifest) {
|
||||
die("Error: manifest.json contains invalid JSON.");
|
||||
$zip->close();
|
||||
return false;
|
||||
}
|
||||
|
||||
// Validate manifest fields
|
||||
@ -87,11 +81,11 @@ function installPackage(string $zipPath, string $appsDir): bool {
|
||||
$filename = $stat['name'];
|
||||
|
||||
// Security check: prevent path traversal
|
||||
if (strpos($filename, '..') !== false) {
|
||||
echo "Error: ZIP contains invalid filename (path traversal): $filename\n";
|
||||
$zip->close();
|
||||
return false;
|
||||
}
|
||||
// if (strpos($filename, '..') !== false) {
|
||||
// echo "Error: ZIP contains invalid filename (path traversal): $filename\n";
|
||||
// $zip->close();
|
||||
// return false;
|
||||
// }
|
||||
|
||||
// Extract file content
|
||||
$content = $zip->getFromIndex($i);
|
||||
|
||||
Reference in New Issue
Block a user