A security issue has been found in PHP on Windows before versions 8.0.11 and 7.4.24. It is possible to construct ZIP archives containing files which are placed outside the destination directory given to ZipArchive::extractTo() because the implementation of php_zip_make_relative_path() doesn't properly cater to absolute directories on Windows; a path starting with a slash is not an absolute path on Windows, but rather a relative path pointing to the current volume.
A security issue has been found in PHP on Windows before versions 8.0.11 and 7.4.24. It is possible to construct ZIP archives containing files which are placed outside the destination directory given to ZipArchive::extractTo() because the implementation of php_zip_make_relative_path() doesn't properly cater to absolute directories on Windows; a path starting with a slash is not an absolute path on Windows, but rather a relative path pointing to the current volume.
https://www.php.net/ChangeLog-8.php#8.0.11 https://www.php.net/ChangeLog-7.php#7.4.24 https://bugs.php.net/bug.php?id=81420 https://github.com/php/php-src/commit/9976b5cd7f36d90b49d1dcf58ec6497f0e592b7d#commitcomment-55762818 https://github.com/php/php-src/commit/931bfc29ceb03265a45b4777992e9fc5ad7ee343 https://github.com/php/php-src/commit/648dce9ea95b6d63685fe6efa88e7ef662a4819a