1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
|
<?php
/**
* A class for reading ZIP file directories, for the purposes of upload
* verification.
*
* Only a functional interface is provided: ZipFileReader::read(). No access is
* given to object instances.
*
*/
class ZipDirectoryReader {
/**
* Read a ZIP file and call a function for each file discovered in it.
*
* Because this class is aimed at verification, an error is raised on
* suspicious or ambiguous input, instead of emulating some standard
* behaviour.
*
* @param $fileName string The archive file name
* @param $callback Array The callback function. It will be called for each file
* with a single associative array each time, with members:
*
* - name: The file name. Directories conventionally have a trailing
* slash.
*
* - mtime: The file modification time, in MediaWiki 14-char format
*
* - size: The uncompressed file size
*
* @param $options Array An associative array of read options, with the option
* name in the key. This may currently contain:
*
* - zip64: If this is set to true, then we will emulate a
* library with ZIP64 support, like OpenJDK 7. If it is set to
* false, then we will emulate a library with no knowledge of
* ZIP64.
*
* NOTE: The ZIP64 code is untested and probably doesn't work. It
* turned out to be easier to just reject ZIP64 archive uploads,
* since they are likely to be very rare. Confirming safety of a
* ZIP64 file is fairly complex. What do you do with a file that is
* ambiguous and broken when read with a non-ZIP64 reader, but valid
* when read with a ZIP64 reader? This situation is normal for a
* valid ZIP64 file, and working out what non-ZIP64 readers will make
* of such a file is not trivial.
*
* @return Status object. The following fatal errors are defined:
*
* - zip-file-open-error: The file could not be opened.
*
* - zip-wrong-format: The file does not appear to be a ZIP file.
*
* - zip-bad: There was something wrong or ambiguous about the file
* data.
*
* - zip-unsupported: The ZIP file uses features which
* ZipDirectoryReader does not support.
*
* The default messages for those fatal errors are written in a way that
* makes sense for upload verification.
*
* If a fatal error is returned, more information about the error will be
* available in the debug log.
*
* Note that the callback function may be called any number of times before
* a fatal error is returned. If this occurs, the data sent to the callback
* function should be discarded.
*/
public static function read( $fileName, $callback, $options = array() ) {
$zdr = new self( $fileName, $callback, $options );
return $zdr->execute();
}
/** The file name */
var $fileName;
/** The opened file resource */
var $file;
/** The cached length of the file, or null if it has not been loaded yet. */
var $fileLength;
/** A segmented cache of the file contents */
var $buffer;
/** The file data callback */
var $callback;
/** The ZIP64 mode */
var $zip64 = false;
/** Stored headers */
var $eocdr, $eocdr64, $eocdr64Locator;
/** The "extra field" ID for ZIP64 central directory entries */
const ZIP64_EXTRA_HEADER = 0x0001;
/** The segment size for the file contents cache */
const SEGSIZE = 16384;
/** The index of the "general field" bit for UTF-8 file names */
const GENERAL_UTF8 = 11;
/** The index of the "general field" bit for central directory encryption */
const GENERAL_CD_ENCRYPTED = 13;
/**
* Private constructor
*/
protected function __construct( $fileName, $callback, $options ) {
$this->fileName = $fileName;
$this->callback = $callback;
if ( isset( $options['zip64'] ) ) {
$this->zip64 = $options['zip64'];
}
}
/**
* Read the directory according to settings in $this.
*
* @return Status
*/
function execute() {
$this->file = fopen( $this->fileName, 'r' );
$this->data = array();
if ( !$this->file ) {
return Status::newFatal( 'zip-file-open-error' );
}
$status = Status::newGood();
try {
$this->readEndOfCentralDirectoryRecord();
if ( $this->zip64 ) {
list( $offset, $size ) = $this->findZip64CentralDirectory();
$this->readCentralDirectory( $offset, $size );
} else {
if ( $this->eocdr['CD size'] == 0xffffffff
|| $this->eocdr['CD offset'] == 0xffffffff
|| $this->eocdr['CD entries total'] == 0xffff )
{
$this->error( 'zip-unsupported', 'Central directory header indicates ZIP64, ' .
'but we are in legacy mode. Rejecting this upload is necessary to avoid '.
'opening vulnerabilities on clients using OpenJDK 7 or later.' );
}
list( $offset, $size ) = $this->findOldCentralDirectory();
$this->readCentralDirectory( $offset, $size );
}
} catch ( ZipDirectoryReaderError $e ) {
$status->fatal( $e->getErrorCode() );
}
fclose( $this->file );
return $status;
}
/**
* Throw an error, and log a debug message
*/
function error( $code, $debugMessage ) {
wfDebug( __CLASS__.": Fatal error: $debugMessage\n" );
throw new ZipDirectoryReaderError( $code );
}
/**
* Read the header which is at the end of the central directory,
* unimaginatively called the "end of central directory record" by the ZIP
* spec.
*/
function readEndOfCentralDirectoryRecord() {
$info = array(
'signature' => 4,
'disk' => 2,
'CD start disk' => 2,
'CD entries this disk' => 2,
'CD entries total' => 2,
'CD size' => 4,
'CD offset' => 4,
'file comment length' => 2,
);
$structSize = $this->getStructSize( $info );
$startPos = $this->getFileLength() - 65536 - $structSize;
if ( $startPos < 0 ) {
$startPos = 0;
}
$block = $this->getBlock( $startPos );
$sigPos = strrpos( $block, "PK\x05\x06" );
if ( $sigPos === false ) {
$this->error( 'zip-wrong-format',
"zip file lacks EOCDR signature. It probably isn't a zip file." );
}
$this->eocdr = $this->unpack( substr( $block, $sigPos ), $info );
$this->eocdr['EOCDR size'] = $structSize + $this->eocdr['file comment length'];
if ( $structSize + $this->eocdr['file comment length'] != strlen( $block ) - $sigPos ) {
$this->error( 'zip-bad', 'trailing bytes after the end of the file comment' );
}
if ( $this->eocdr['disk'] !== 0
|| $this->eocdr['CD start disk'] !== 0 )
{
$this->error( 'zip-unsupported', 'more than one disk (in EOCDR)' );
}
$this->eocdr += $this->unpack(
$block,
array( 'file comment' => array( 'string', $this->eocdr['file comment length'] ) ),
$sigPos + $structSize );
$this->eocdr['position'] = $startPos + $sigPos;
}
/**
* Read the header called the "ZIP64 end of central directory locator". An
* error will be raised if it does not exist.
*/
function readZip64EndOfCentralDirectoryLocator() {
$info = array(
'signature' => array( 'string', 4 ),
'eocdr64 start disk' => 4,
'eocdr64 offset' => 8,
'number of disks' => 4,
);
$structSize = $this->getStructSize( $info );
$block = $this->getBlock( $this->getFileLength() - $this->eocdr['EOCDR size']
- $structSize, $structSize );
$this->eocdr64Locator = $data = $this->unpack( $block, $info );
if ( $data['signature'] !== "PK\x06\x07" ) {
// Note: Java will allow this and continue to read the
// EOCDR64, so we have to reject the upload, we can't
// just use the EOCDR header instead.
$this->error( 'zip-bad', 'wrong signature on Zip64 end of central directory locator' );
}
}
/**
* Read the header called the "ZIP64 end of central directory record". It
* may replace the regular "end of central directory record" in ZIP64 files.
*/
function readZip64EndOfCentralDirectoryRecord() {
if ( $this->eocdr64Locator['eocdr64 start disk'] != 0
|| $this->eocdr64Locator['number of disks'] != 0 )
{
$this->error( 'zip-unsupported', 'more than one disk (in EOCDR64 locator)' );
}
$info = array(
'signature' => array( 'string', 4 ),
'EOCDR64 size' => 8,
'version made by' => 2,
'version needed' => 2,
'disk' => 4,
'CD start disk' => 4,
'CD entries this disk' => 8,
'CD entries total' => 8,
'CD size' => 8,
'CD offset' => 8
);
$structSize = $this->getStructSize( $info );
$block = $this->getBlock( $this->eocdr64Locator['eocdr64 offset'], $structSize );
$this->eocdr64 = $data = $this->unpack( $block, $info );
if ( $data['signature'] !== "PK\x06\x06" ) {
$this->error( 'zip-bad', 'wrong signature on Zip64 end of central directory record' );
}
if ( $data['disk'] !== 0
|| $data['CD start disk'] !== 0 )
{
$this->error( 'zip-unsupported', 'more than one disk (in EOCDR64)' );
}
}
/**
* Find the location of the central directory, as would be seen by a
* non-ZIP64 reader.
*
* @return List containing offset, size and end position.
*/
function findOldCentralDirectory() {
$size = $this->eocdr['CD size'];
$offset = $this->eocdr['CD offset'];
$endPos = $this->eocdr['position'];
// Some readers use the EOCDR position instead of the offset field
// to find the directory, so to be safe, we check if they both agree.
if ( $offset + $size != $endPos ) {
$this->error( 'zip-bad', 'the central directory does not immediately precede the end ' .
'of central directory record' );
}
return array( $offset, $size );
}
/**
* Find the location of the central directory, as would be seen by a
* ZIP64-compliant reader.
*
* @return List containing offset, size and end position.
*/
function findZip64CentralDirectory() {
// The spec is ambiguous about the exact rules of precedence between the
// ZIP64 headers and the original headers. Here we follow zip_util.c
// from OpenJDK 7.
$size = $this->eocdr['CD size'];
$offset = $this->eocdr['CD offset'];
$numEntries = $this->eocdr['CD entries total'];
$endPos = $this->eocdr['position'];
if ( $size == 0xffffffff
|| $offset == 0xffffffff
|| $numEntries == 0xffff )
{
$this->readZip64EndOfCentralDirectoryLocator();
if ( isset( $this->eocdr64Locator['eocdr64 offset'] ) ) {
$this->readZip64EndOfCentralDirectoryRecord();
if ( isset( $this->eocdr64['CD offset'] ) ) {
$size = $this->eocdr64['CD size'];
$offset = $this->eocdr64['CD offset'];
$endPos = $this->eocdr64Locator['eocdr64 offset'];
}
}
}
// Some readers use the EOCDR position instead of the offset field
// to find the directory, so to be safe, we check if they both agree.
if ( $offset + $size != $endPos ) {
$this->error( 'zip-bad', 'the central directory does not immediately precede the end ' .
'of central directory record' );
}
return array( $offset, $size );
}
/**
* Read the central directory at the given location
*/
function readCentralDirectory( $offset, $size ) {
$block = $this->getBlock( $offset, $size );
$fixedInfo = array(
'signature' => array( 'string', 4 ),
'version made by' => 2,
'version needed' => 2,
'general bits' => 2,
'compression method' => 2,
'mod time' => 2,
'mod date' => 2,
'crc-32' => 4,
'compressed size' => 4,
'uncompressed size' => 4,
'name length' => 2,
'extra field length' => 2,
'comment length' => 2,
'disk number start' => 2,
'internal attrs' => 2,
'external attrs' => 4,
'local header offset' => 4,
);
$fixedSize = $this->getStructSize( $fixedInfo );
$pos = 0;
while ( $pos < $size ) {
$data = $this->unpack( $block, $fixedInfo, $pos );
$pos += $fixedSize;
if ( $data['signature'] !== "PK\x01\x02" ) {
$this->error( 'zip-bad', 'Invalid signature found in directory entry' );
}
$variableInfo = array(
'name' => array( 'string', $data['name length'] ),
'extra field' => array( 'string', $data['extra field length'] ),
'comment' => array( 'string', $data['comment length'] ),
);
$data += $this->unpack( $block, $variableInfo, $pos );
$pos += $this->getStructSize( $variableInfo );
if ( $this->zip64 && (
$data['compressed size'] == 0xffffffff
|| $data['uncompressed size'] == 0xffffffff
|| $data['local header offset'] == 0xffffffff ) )
{
$zip64Data = $this->unpackZip64Extra( $data['extra field'] );
if ( $zip64Data ) {
$data = $zip64Data + $data;
}
}
if ( $this->testBit( $data['general bits'], self::GENERAL_CD_ENCRYPTED ) ) {
$this->error( 'zip-unsupported', 'central directory encryption is not supported' );
}
// Convert the timestamp into MediaWiki format
// For the format, please see the MS-DOS 2.0 Programmer's Reference,
// pages 3-5 and 3-6.
$time = $data['mod time'];
$date = $data['mod date'];
$year = 1980 + ( $date >> 9 );
$month = ( $date >> 5 ) & 15;
$day = $date & 31;
$hour = ( $time >> 11 ) & 31;
$minute = ( $time >> 5 ) & 63;
$second = ( $time & 31 ) * 2;
$timestamp = sprintf( "%04d%02d%02d%02d%02d%02d",
$year, $month, $day, $hour, $minute, $second );
// Convert the character set in the file name
if ( !function_exists( 'iconv' )
|| $this->testBit( $data['general bits'], self::GENERAL_UTF8 ) )
{
$name = $data['name'];
} else {
$name = iconv( 'CP437', 'UTF-8', $data['name'] );
}
// Compile a data array for the user, with a sensible format
$userData = array(
'name' => $name,
'mtime' => $timestamp,
'size' => $data['uncompressed size'],
);
call_user_func( $this->callback, $userData );
}
}
/**
* Interpret ZIP64 "extra field" data and return an associative array.
*/
function unpackZip64Extra( $extraField ) {
$extraHeaderInfo = array(
'id' => 2,
'size' => 2,
);
$extraHeaderSize = $this->getStructSize( $extraHeaderInfo );
$zip64ExtraInfo = array(
'uncompressed size' => 8,
'compressed size' => 8,
'local header offset' => 8,
'disk number start' => 4,
);
$extraPos = 0;
while ( $extraPos < strlen( $extraField ) ) {
$extra = $this->unpack( $extraField, $extraHeaderInfo, $extraPos );
$extraPos += $extraHeaderSize;
$extra += $this->unpack( $extraField,
array( 'data' => array( 'string', $extra['size'] ) ),
$extraPos );
$extraPos += $extra['size'];
if ( $extra['id'] == self::ZIP64_EXTRA_HEADER ) {
return $this->unpack( $extra['data'], $zip64ExtraInfo );
}
}
return false;
}
/**
* Get the length of the file.
*/
function getFileLength() {
if ( $this->fileLength === null ) {
$stat = fstat( $this->file );
$this->fileLength = $stat['size'];
}
return $this->fileLength;
}
/**
* Get the file contents from a given offset. If there are not enough bytes
* in the file to satisfy the request, an exception will be thrown.
*
* @param $start The byte offset of the start of the block.
* @param $length The number of bytes to return. If omitted, the remainder
* of the file will be returned.
*
* @return string
*/
function getBlock( $start, $length = null ) {
$fileLength = $this->getFileLength();
if ( $start >= $fileLength ) {
$this->error( 'zip-bad', "getBlock() requested position $start, " .
"file length is $fileLength" );
}
if ( $length === null ) {
$length = $fileLength - $start;
}
$end = $start + $length;
if ( $end > $fileLength ) {
$this->error( 'zip-bad', "getBlock() requested end position $end, " .
"file length is $fileLength" );
}
$startSeg = floor( $start / self::SEGSIZE );
$endSeg = ceil( $end / self::SEGSIZE );
$block = '';
for ( $segIndex = $startSeg; $segIndex <= $endSeg; $segIndex++ ) {
$block .= $this->getSegment( $segIndex );
}
$block = substr( $block,
$start - $startSeg * self::SEGSIZE,
$length );
if ( strlen( $block ) < $length ) {
$this->error( 'zip-bad', 'getBlock() returned an unexpectedly small amount of data' );
}
return $block;
}
/**
* Get a section of the file starting at position $segIndex * self::SEGSIZE,
* of length self::SEGSIZE. The result is cached. This is a helper function
* for getBlock().
*
* If there are not enough bytes in the file to satsify the request, the
* return value will be truncated. If a request is made for a segment beyond
* the end of the file, an empty string will be returned.
*/
function getSegment( $segIndex ) {
if ( !isset( $this->buffer[$segIndex] ) ) {
$bytePos = $segIndex * self::SEGSIZE;
if ( $bytePos >= $this->getFileLength() ) {
$this->buffer[$segIndex] = '';
return '';
}
if ( fseek( $this->file, $bytePos ) ) {
$this->error( 'zip-bad', "seek to $bytePos failed" );
}
$seg = fread( $this->file, self::SEGSIZE );
if ( $seg === false ) {
$this->error( 'zip-bad', "read from $bytePos failed" );
}
$this->buffer[$segIndex] = $seg;
}
return $this->buffer[$segIndex];
}
/**
* Get the size of a structure in bytes. See unpack() for the format of $struct.
*/
function getStructSize( $struct ) {
$size = 0;
foreach ( $struct as $type ) {
if ( is_array( $type ) ) {
list( $typeName, $fieldSize ) = $type;
$size += $fieldSize;
} else {
$size += $type;
}
}
return $size;
}
/**
* Unpack a binary structure. This is like the built-in unpack() function
* except nicer.
*
* @param $string The binary data input
*
* @param $struct An associative array giving structure members and their
* types. In the key is the field name. The value may be either an
* integer, in which case the field is a little-endian unsigned integer
* encoded in the given number of bytes, or an array, in which case the
* first element of the array is the type name, and the subsequent
* elements are type-dependent parameters. Only one such type is defined:
* - "string": The second array element gives the length of string.
* Not null terminated.
*
* @param $offset The offset into the string at which to start unpacking.
*
* @return Unpacked associative array. Note that large integers in the input
* may be represented as floating point numbers in the return value, so
* the use of weak comparison is advised.
*/
function unpack( $string, $struct, $offset = 0 ) {
$size = $this->getStructSize( $struct );
if ( $offset + $size > strlen( $string ) ) {
$this->error( 'zip-bad', 'unpack() would run past the end of the supplied string' );
}
$data = array();
$pos = $offset;
foreach ( $struct as $key => $type ) {
if ( is_array( $type ) ) {
list( $typeName, $fieldSize ) = $type;
switch ( $typeName ) {
case 'string':
$data[$key] = substr( $string, $pos, $fieldSize );
$pos += $fieldSize;
break;
default:
throw new MWException( __METHOD__.": invalid type \"$typeName\"" );
}
} else {
// Unsigned little-endian integer
$length = intval( $type );
$bytes = substr( $string, $pos, $length );
// Calculate the value. Use an algorithm which automatically
// upgrades the value to floating point if necessary.
$value = 0;
for ( $i = $length - 1; $i >= 0; $i-- ) {
$value *= 256;
$value += ord( $string[$pos + $i] );
}
// Throw an exception if there was loss of precision
if ( $value > pow( 2, 52 ) ) {
$this->error( 'zip-unsupported', 'number too large to be stored in a double. ' .
'This could happen if we tried to unpack a 64-bit structure ' .
'at an invalid location.' );
}
$data[$key] = $value;
$pos += $length;
}
}
return $data;
}
/**
* Returns a bit from a given position in an integer value, converted to
* boolean.
*
* @param $value integer
* @param $bitIndex The index of the bit, where 0 is the LSB.
*/
function testBit( $value, $bitIndex ) {
return (bool)( ( $value >> $bitIndex ) & 1 );
}
/**
* Debugging helper function which dumps a string in hexdump -C format.
*/
function hexDump( $s ) {
$n = strlen( $s );
for ( $i = 0; $i < $n; $i += 16 ) {
printf( "%08X ", $i );
for ( $j = 0; $j < 16; $j++ ) {
print " ";
if ( $j == 8 ) {
print " ";
}
if ( $i + $j >= $n ) {
print " ";
} else {
printf( "%02X", ord( $s[$i + $j] ) );
}
}
print " |";
for ( $j = 0; $j < 16; $j++ ) {
if ( $i + $j >= $n ) {
print " ";
} elseif ( ctype_print( $s[$i + $j] ) ) {
print $s[$i + $j];
} else {
print '.';
}
}
print "|\n";
}
}
}
/**
* Internal exception class. Will be caught by private code.
*/
class ZipDirectoryReaderError extends Exception {
var $code;
function __construct( $code ) {
$this->code = $code;
parent::__construct( "ZipDirectoryReader error: $code" );
}
function getErrorCode() {
return $this->code;
}
}
|