PclZip 2.5 : New Features

Sunday, 07 February 2010 15:13 Vincent
Print

PclZip 2.5 introduce a security feature and the ability to modify the name of the file archived. To achieve this a large part of the code was modified in order to manage attributes associated to files (or folder) and not only global options. In this release only the name of the file can be modified, but the code was restructured in order to be able to add new features on a per file basis (like add a string as a file, change the file dates, ...). However the code was not modified yet to offer the same feature while extracting files.

The user manual is not yet updated, so you can find below a quick start on this new feature :

$archive = new PclZip("archive.zip");
$list $archive->create(array(
                    array( 
PCLZIP_ATT_FILE_NAME => 'data/file1.txt',
                           
PCLZIP_ATT_FILE_NEW_FULL_NAME => 'newdir/newname.txt'
                         
),
                    array( 
PCLZIP_ATT_FILE_NAME => 'data/file2.txt',
                           
PCLZIP_ATT_FILE_NEW_SHORT_NAME => 'newfilename.txt'
                         
),
                    array( 
PCLZIP_ATT_FILE_NAME => 'data/file3.txt')
                  ),
                  
PCLZIP_OPT_ADD_PATH'newpath',
                  
PCLZIP_OPT_REMOVE_PATH'data');
if (
$list == 0) {
  die(
"ERROR : '".$archive->errorInfo(true)."'");
}
 

A security alert was raised by GulfTech explaining that PclZip can be badly used during the file extraction. In fact a script using PclZip to extract a zip file uploaded by a user of a web service, can have the effect of extracting a file and modifying a système file. PclZip support the extraction of files in different folders. Release 2.5 add an option to control that the extracted file is not outside a specific basedir. The idea is similar to the open_basedir restriction of PHP.

 

$archive = new PclZip("archive.zip");
$list $archive->extract(PCLZIP_OPT_EXTRACT_DIR_RESTRICTION'./base_dir');
if (
$list == 0) {
  die(
"ERROR : '".$archive->errorInfo(true)."'");
}
 

In this example archive.zip will be extracted in the current folder. If any file is not with a path inside 'base_dir' PclZip will stop and send an error. Notice that the associated value of PCLZIP_OPT_EXTRACT_DIR_RESTRICTION must be a full path from the root filesystem (and not relative). However the use of './' will indicate that the path is relative to the current path.

 

Last Updated on Sunday, 07 February 2010 15:19