PclZip 2.5 introduce a security feature and the ability to modify the name of the file archived. To achieve this a large part of the code was modified in order to manage attributes associated to files (or folder) and not only global options. In this release only the name of the file can be modified, but the code was restructured in order to be able to add new features on a per file basis (like add a string as a file, change the file dates, …). However the code was not modified yet to offer the same feature while extracting files.
$archive = new PclZip("archive.zip");
$list = $archive->create(array(
array( PCLZIP_ATT_FILE_NAME => 'data/file1.txt',
PCLZIP_ATT_FILE_NEW_FULL_NAME => 'newdir/newname.txt'
),
array( PCLZIP_ATT_FILE_NAME => 'data/file2.txt',
PCLZIP_ATT_FILE_NEW_SHORT_NAME => 'newfilename.txt'
),
array( PCLZIP_ATT_FILE_NAME => 'data/file3.txt')
),
PCLZIP_OPT_ADD_PATH, 'newpath',
PCLZIP_OPT_REMOVE_PATH, 'data');
if ($list == 0) {
die("ERROR : '".$archive->errorInfo(true)."'");
} - With PCLZIP_ATT_FILE_NEW_FULL_NAME, 'data/file1.txt' will be completed replaced by 'newdir/newname.txt'. The global options PCLZIP_OPT_ADD_PATH and PCLZIP_OPT_REMOVE_PATH are ignored in this case.
- With PCLZIP_ATT_FILE_SHORT_NAME, 'file2.txt', will be first replaced by 'newfilename.txt', then the global options will be applied to modify the path on the resulting name.
A security alert was raised by GulfTech explaining that PclZip can be badly used during the file extraction. In fact a script using PclZip to extract a zip file uploaded by a user of a web service, can have the effect of extracting a file and modifying a système file. PclZip support the extraction of files in different folders. Release 2.5 add an option to control that the extracted file is not outside a specific basedir. The idea is similar to the open_basedir restriction of PHP.
Web Branches 