Giters

facebook / hhvm

A virtual machine for executing programs written in Hack.

Home Page:https://hhvm.com

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

zip_open/ZipArchive should throw an exception in CLI server mode unless opening read-only

fredemmott opened this issue · comments

commented

Describe the bug

hhvm/hphp/runtime/ext/zip/ext_zip.cpp

Line 45 in 908da97

| (_flags & ZIP_RDONLY ? O_RDONLY : O_RDWR);
attempts to set the appropriate flags for various modes in CLI server, however they will never work:

https://libzip.org/documentation/zip_fdopen.html

In contrast to zip_open(3), using zip_fdopen the archive can only be opened in read-only mode.

zip_open can't directly be used here because it would be a privilege escalation bug.

I think a 'real fix' would be making the CLI client process capable of high-level zip operations, but a clear 'unsupported in CLI server mode' exception would make debugging issues much simpler.

Standalone code, or other way to reproduce the problem

IN CLI SERVER MODE

$z = new ZipArchive();
$z->open('/tmp/foo.zip', ZIPARCHIVE::CREATE); // ALWAYS fails

Expected behavior

Ideally, it works, opening the zip as the CLI client user.
Better would be a clear exception saying why it will always fail

Actual behavior

open fails, invalid zip