1--TEST-- 2Bug #65414 Injection (A1) in .phar files magic .phar directory 3--SKIPIF-- 4<?php if (!extension_loaded("phar")) die("skip"); ?> 5--INI-- 6phar.readonly = 0 7--FILE-- 8<?php 9$phar = new \Phar(__DIR__ . '/bug65414.phar', 0, 'bug65414.phar'); 10$bads = [ 11 '.phar/injected-1.txt', 12 '/.phar/injected-2.txt', 13 '//.phar/injected-3.txt', 14 '/.phar/', 15]; 16foreach ($bads as $bad) { 17 echo $bad . ':'; 18 try { 19 $phar->addFromString($bad, 'this content is injected'); 20 echo 'Failed to throw expected exception'; 21 } catch (BadMethodCallException $ex) { 22 echo $ex->getMessage() . PHP_EOL; 23 } 24} 25echo 'done' . PHP_EOL; 26?> 27--CLEAN-- 28<?php 29unlink(__DIR__ . '/bug65414.phar'); 30?> 31--EXPECT-- 32.phar/injected-1.txt:Cannot create any files in magic ".phar" directory 33/.phar/injected-2.txt:Cannot create any files in magic ".phar" directory 34//.phar/injected-3.txt:Entry //.phar/injected-3.txt does not exist and cannot be created: phar error: invalid path "//.phar/injected-3.txt" contains double slash 35/.phar/:Cannot create any files in magic ".phar" directory 36done 37