Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unchecked return value of ZipArchive::locateName #262

Closed
2 of 3 tasks
anton-harvey opened this issue Oct 25, 2017 · 2 comments
Closed
2 of 3 tasks

Unchecked return value of ZipArchive::locateName #262

anton-harvey opened this issue Oct 25, 2017 · 2 comments
Labels
bug reader/xlsx Reader for MS OfficeOpenXML-format (xlsx) spreadsheet files

Comments

@anton-harvey
Copy link
Contributor

anton-harvey commented Oct 25, 2017
edited
Loading

This is:

What is the expected behavior?

The Reader\Xlsx::getFromZipArchive function should return false if the zip entry could not be located.

What is the current behavior?

If it exists, the contents of the zip entry at index 0 is returned.

What are the steps to reproduce?

Provided upon (further) request. 😅

Which versions of PhpSpreadsheet and PHP are affected?

All PhpSpreadsheet versions. Tested on PHP 7.0.17.

ZipArchive::locateName

Returns the index of the entry on success or FALSE on failure.

The Reader\Xlsx::getFromZipArchive function does not check whether the return value of ZipArchive::locateName is false. When it is, it's passed straight into ZipArchive::getFromIndex, which casts it to an integer, resulting in it retrieving the entry at index 0.

PhpSpreadsheet/src/PhpSpreadsheet/Reader/Xlsx.php

Lines 304 to 312 in 25ff914

// Apache POI fixes
$contents = $archive->getFromIndex(
$archive->locateName($fileName, ZipArchive::FL_NOCASE)
);
if ($contents === false) {
$contents = $archive->getFromIndex(
$archive->locateName(substr($fileName, 1), ZipArchive::FL_NOCASE)
);
}

ZipArchive::getFromName appears to be a good alternative:

string ZipArchive::getFromName ( string $name [, int $length = 0 [, int $flags ]] )

Returns the entry contents using its name.
Returns the contents of the entry on success or FALSE on failure.

$contents = $archive->getFromName($fileName, 0, ZipArchive::FL_NOCASE);
@PowerKiKi
Copy link
Member

That sounds about right. Would you mind providing a PR for that ?

@PowerKiKi PowerKiKi added bug reader/xlsx Reader for MS OfficeOpenXML-format (xlsx) spreadsheet files labels Oct 26, 2017
@anton-harvey
Copy link
Contributor Author

I'll make a PR in a few days.

@anton-harvey anton-harvey mentioned this issue Nov 1, 2017
Closed
7 tasks
Dfred pushed a commit to Dfred/PhpSpreadsheet that referenced this issue Nov 20, 2018
@anton-harvey
Return false if the zip entry could not be located
1a5165e 
Previously the function did not check whether the return value of `ZipArchive::locateName`
was `false`. And when it was, it was passed straight into `ZipArchive::getFromIndex`,
which casts it to an integer, resulting in it incorrectly retrieving the entry at index `0`.

Fixes PHPOffice#262
Closes PHPOffice#268
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug reader/xlsx Reader for MS OfficeOpenXML-format (xlsx) spreadsheet files
Milestone
No milestone
Development

No branches or pull requests
2 participants
@PowerKiKi @anton-harvey