Skip to content

ext/phar: add upper-bound check on LongLink entry size to prevent OOM DoS#22557

Open
crystarm wants to merge 1 commit into
php:masterfrom
crystarm:fix/phar-longlink-oom
Open

ext/phar: add upper-bound check on LongLink entry size to prevent OOM DoS#22557
crystarm wants to merge 1 commit into
php:masterfrom
crystarm:fix/phar-longlink-oom

Conversation

@crystarm

@crystarm crystarm commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Fixes #22556.

@LamentXU123 LamentXU123 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks sensible to me. (except for the constant)

@LamentXU123

Copy link
Copy Markdown
Member

@crystarm You might need to add a NEWS entry to inform the users about your change. Also given this is actually making the checker stricter, I don't sure whether we should target 8.4 or master for this fix (not sure this is a bug fix or a feature request) might need to hear from other's opinions.

@Girgias Girgias left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why are we checking against MAXPATHLEN? This doesn't seem to be related to a path at all?

Comment thread ext/phar/tar.c Outdated
if (entry.uncompressed_filesize == UINT_MAX || entry.uncompressed_filesize == 0) {
/* Check for overflow or unreasonable size - bug 61065 */
if (entry.uncompressed_filesize == 0
|| entry.uncompressed_filesize == UINT_MAX

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess this is pointless now ?

Comment thread ext/phar/tar.c Outdated
/* Check for overflow or unreasonable size - bug 61065 */
if (entry.uncompressed_filesize == 0
|| entry.uncompressed_filesize == UINT_MAX
|| entry.uncompressed_filesize > MAXPATHLEN) {

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The MAXPATHLEN constant is for reflecting the platform's max path length. Well I agree we need to add a maximum filesize but seems like we need to introduce a new private constant on this.

Maybe UINT16_MAX will be proper? @Girgias

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

MAXPATHLEN is usually 1024 or 4096, nowhere near UINT*_MAX values is what I meant.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Anyhow we shouldn't use MAXPATHLEN here because at least we don't want the max filesize of a tar phar file associated with the platform's max path len. Perhaps we need a separate constant on this.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Kind of agree, now that I m a bit more awake, MAXPATHLEN is inappropriate in this context anyway.

@crystarm crystarm force-pushed the fix/phar-longlink-oom branch from a7c03d4 to 5d640a8 Compare July 3, 2026 11:27
@crystarm

crystarm commented Jul 3, 2026

Copy link
Copy Markdown
Contributor Author

Thanks everyone for the feedback! ( ദ്ദി °ᗜ° ) I've addressed all the suggestions and added a NEWS entry.

@crystarm

crystarm commented Jul 3, 2026

Copy link
Copy Markdown
Contributor Author

@LamentXU123 @devnexen @Girgias
Should I open backport PRs to PHP-8.4 and PHP-8.3 as well?

@LamentXU123

Copy link
Copy Markdown
Member

8.3 is now end of life. Also, we generally merge up branches instead of backport to lower branches. So you can just rebase to 8.4 if you want to (but I don't sure if this should goes to 8.4 because this looks like a new feature to me, might need to wait for other's opinion). Also you can draft this PR if you are rebasing to prevent accidentally request a review to everyone.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

ext/phar: LongLink TAR entry causes ~4 GB allocation due to missing upper-bound check (DoS)

4 participants