ext/phar: improve .phar madic directory preservation logic in phar::addEmptyDir()

LamentXU123 · LamentXU123 · commit e2941e24ce77 · 2026-05-25T16:59:28.000+08:00
diff --git a/NEWS b/NEWS
@@ -15,6 +15,11 @@ PHP                                                                        NEWS
     IntlCalendar::equals(), ::before(), ::after(), and ::isEquivalentTo().
     (Weilin Du)
 
+- Phar:
+  . Fixed a bypass of the magic ".phar" directory protection in
+    Phar::addEmptyDir() for paths starting with "/.phar", while allowing
+    non-magic directory names that merely share the ".phar" prefix. (Weilin Du)
+
 - Zlib:
   . Fixed memory leak if deflate initialization fails and there is a dict.
     (ndossche)
diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c
@@ -3863,9 +3863,16 @@ PHP_METHOD(Phar, addEmptyDir)
 
 	PHAR_ARCHIVE_OBJECT();
 
-	if (zend_string_starts_with_literal(dir_name, ".phar")) {
-		zend_throw_exception_ex(spl_ce_BadMethodCallException, 0, "Cannot create a directory in magic \".phar\" directory");
-		RETURN_THROWS();
+	if (
+		zend_string_starts_with_literal(dir_name, ".phar")
+		|| zend_string_starts_with_literal(dir_name, "/.phar")
+	) {
+		size_t prefix_len = (ZSTR_VAL(dir_name)[0] == '/') + sizeof(".phar")-1;
+		char next_char = ZSTR_VAL(dir_name)[prefix_len];
+		if (next_char == '/' || next_char == '\\' || next_char == '\0') {
+			zend_throw_exception_ex(spl_ce_BadMethodCallException, 0, "Cannot create a directory in magic \".phar\" directory");
+			RETURN_THROWS();
+		}
 	}
 
 	phar_mkdir(&phar_obj->archive, dir_name);
diff --git a/ext/phar/tests/mkdir.phpt b/ext/phar/tests/mkdir.phpt
@@ -24,6 +24,13 @@ $a->addEmptyDir('.phar');
 } catch (Exception $e) {
 echo $e->getMessage(),"\n";
 }
+try {
+$a->addEmptyDir('/.phar');
+} catch (Exception $e) {
+echo $e->getMessage(),"\n";
+}
+$a->addEmptyDir('/.pharx');
+var_dump(is_dir($pname . '/.pharx'));
 ?>
 --CLEAN--
 <?php
@@ -43,3 +50,5 @@ Warning: rmdir(): phar error: cannot remove directory "" in phar "foo.phar", dir
 
 Warning: rmdir(): phar error: cannot remove directory "a" in phar "%smkdir.phar.php", phar error: path "a" exists and is a not a directory in %smkdir.php on line %d
 Cannot create a directory in magic ".phar" directory
+Cannot create a directory in magic ".phar" directory
+bool(true)
