[wp-trac] [WordPress Trac] #25061: Plugin/Theme/Core Updates Fail When Curl Used and String Function Overloading Configured
WordPress Trac
noreply at wordpress.org
Sat Aug 17 19:07:49 UTC 2013
#25061: Plugin/Theme/Core Updates Fail When Curl Used and String Function
Overloading Configured
--------------------------+--------------------
Reporter: DrProtocols | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 3.6.1
Component: HTTP | Version: 3.6
Severity: major | Resolution:
Keywords: |
--------------------------+--------------------
Old description:
> When downloading an update in the form of a zip file the update
> consistently fails with a failure to find the end of central dir record
> when unpack is attempted. For example:
>
> Downloading update from
> http://downloads.wordpress.org/plugin/addthis.3.5.1.zip…
>
> Unpacking the update…
>
> The package could not be installed. PCLZIP_ERR_BAD_FORMAT (-10) : Unable
> to find End of Central Dir Record signature
>
> The download is using curl.
>
> To reproduce add the following to PHP configuration:
>
> mbstring.func_overload = 2;
>
> which enables str*() function overloading.
>
> The problem is caused by the new stream_body() function in wp-includes
> /class-http.php which uses the strlen() function to simply return the
> length of data written but when overloaded with the multi-byte function
> the count is almost certainly incorrect when the data is binary data such
> as part of a zip file download. Because for a chunk the function returns
> a count different from that expected by curl it terminates the transfer
> as "completed" at that point which appears as a successful outcome. But
> of course the downloaded file is incomplete so when pclzip tries to unzip
> it the above failure results.
>
> Attached are two files:
> stream_body_problem.txt shows a _working_ case where the "written" value
> is the value returned by fwrite() against the "string length" value which
> is the value according to strlen()
> stream_body_hack.txt shows a hacked function that handles the case where
> function overloading is enabled (not saying this is the way to do it but
> just to illustrate)
New description:
When downloading an update in the form of a zip file the update
consistently fails with a failure to find the end of central dir record
when unpack is attempted. For example:
{{{
Downloading update from
http://downloads.wordpress.org/plugin/addthis.3.5.1.zip…
Unpacking the update…
The package could not be installed. PCLZIP_ERR_BAD_FORMAT (-10) : Unable
to find End of Central Dir Record signature
}}}
The download is using curl.
To reproduce add the following to PHP configuration:
{{{
mbstring.func_overload = 2;
}}}
which enables str*() function overloading.
The problem is caused by the new stream_body() function in wp-includes
/class-http.php which uses the strlen() function to simply return the
length of data written but when overloaded with the multi-byte function
the count is almost certainly incorrect when the data is binary data such
as part of a zip file download. Because for a chunk the function returns a
count different from that expected by curl it terminates the transfer as
"completed" at that point which appears as a successful outcome. But of
course the downloaded file is incomplete so when pclzip tries to unzip it
the above failure results.
Attached are two files:
stream_body_problem.txt shows a _working_ case where the "written" value
is the value returned by fwrite() against the "string length" value which
is the value according to strlen()
stream_body_hack.txt shows a hacked function that handles the case where
function overloading is enabled (not saying this is the way to do it but
just to illustrate)
--
Comment (by SergeyBiryukov):
Turned [attachment:stream_body_hack.txt] into a patch:
[attachment:25061.patch].
We have a similar check in `_unzip_file_pclzip()`: [source:tags/3.6/wp-
admin/includes/file.php#L669] (introduced in [17592]).
Related: #18007 (explores other options to deal with
`mbstring.func_overload`).
--
Ticket URL: <http://core.trac.wordpress.org/ticket/25061#comment:2>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list