[wp-trac] [WordPress Trac] #25061: Plugin/Theme/Core Updates Fail When Curl Used and String Function Overloading Configured

WordPress Trac noreply at wordpress.org
Sat Aug 17 15:38:57 UTC 2013 

#25061: Plugin/Theme/Core Updates Fail When Curl Used and String Function
Overloading Configured
--------------------------+-----------------------------
 Reporter:  DrProtocols   |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  HTTP          |    Version:  3.6
 Severity:  normal        |   Keywords:
--------------------------+-----------------------------
 When downloading an update in the form of a zip file the update
 consistently fails with a failure to find the end of central dir record
 when unpack is attempted. For example:

 Downloading update from
 http://downloads.wordpress.org/plugin/addthis.3.5.1.zip…

 Unpacking the update…

 The package could not be installed. PCLZIP_ERR_BAD_FORMAT (-10) : Unable
 to find End of Central Dir Record signature

 The download is using curl.

 To reproduce add the following to PHP configuration:

 mbstring.func_overload = 2;

 which enables str*() function overloading.

 The problem is caused by the new stream_body() function in wp-includes
 /class-http.php which uses the strlen() function to simply return the
 length of data written but when overloaded with the multi-byte function
 the count is almost certainly incorrect when the data is binary data such
 as part of a zip file download. Because for a chunk the function returns a
 count different from that expected by curl it terminates the transfer as
 "completed" at that point which appears as a successful outcome. But of
 course the downloaded file is incomplete so when pclzip tries to unzip it
 the above failure results.

 Attached are two files:
 stream_body_problem.txt shows a _working_ case where the "written" value
 is the value returned by fwrite() against the "string length" value which
 is the value according to strlen()
 stream_body_hack.txt shows a hacked function that handles the case where
 function overloading is enabled (not saying this is the way to do it but
 just to illustrate)

--
Ticket URL: <http://core.trac.wordpress.org/ticket/25061>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list