From 942562c3822b87ca73bd07b022b501104f67ad0e Mon Sep 17 00:00:00 2001
From: Jordi Boggiano <j.boggiano@seld.be>
Date: Thu, 16 Jul 2020 17:00:29 +0200
Subject: [PATCH] Clean up Zip Util to be more strict about what is a valid
 package archive, fixes #8931

---
 src/Composer/Util/Zip.php                     |  52 ++++++++++--------
 .../artifacts/composer-1.0.0-alpha6.zip       | Bin 5227 -> 4046 bytes
 .../Fixtures/artifacts/jsonInFirstLevel.zip   | Bin 542 -> 519 bytes
 .../jsonInFirstLevelWithExtraFirstLevel.zip   | Bin 0 -> 595 bytes
 .../Fixtures/artifacts/not-an-artifact.zip    | Bin 4140 -> 3264 bytes
 .../Test/Util/Fixtures/Zip/multiple.zip       | Bin 2569 -> 936 bytes
 .../Test/Util/Fixtures/Zip/single-sub.zip     | Bin 0 -> 306 bytes
 .../Test/Util/Fixtures/Zip/subfolder.zip      | Bin 1328 -> 0 bytes
 .../Test/Util/Fixtures/Zip/subfolders.zip     | Bin 0 -> 454 bytes
 tests/Composer/Test/Util/ZipTest.php          |  18 +++++-
 10 files changed, 43 insertions(+), 27 deletions(-)
 create mode 100644 tests/Composer/Test/Repository/Fixtures/artifacts/jsonInFirstLevelWithExtraFirstLevel.zip
 create mode 100644 tests/Composer/Test/Util/Fixtures/Zip/single-sub.zip
 delete mode 100644 tests/Composer/Test/Util/Fixtures/Zip/subfolder.zip
 create mode 100644 tests/Composer/Test/Util/Fixtures/Zip/subfolders.zip

diff --git a/src/Composer/Util/Zip.php b/src/Composer/Util/Zip.php
index ab10d5bbf..3ebdcdd85 100644
--- a/src/Composer/Util/Zip.php
+++ b/src/Composer/Util/Zip.php
@@ -71,37 +71,41 @@ class Zip
      */
     private static function locateFile(\ZipArchive $zip, $filename)
     {
-        $indexOfShortestMatch = false;
-        $lengthOfShortestMatch = -1;
+        // return root composer.json if it is there and is a file
+        if (false !== ($index = $zip->locateName($filename)) && $zip->getFromIndex($index) !== false) {
+            return $index;
+        }
 
+        $topLevelPaths = array();
         for ($i = 0; $i < $zip->numFiles; $i++) {
-            $stat = $zip->statIndex($i);
-            if (strcmp(basename($stat['name']), $filename) === 0) {
-                $directoryName = dirname($stat['name']);
-                if ($directoryName === '.') {
-                    //if composer.json is in root directory
-                    //it has to be the one to use.
-                    return $i;
-                }
-
-                if (strpos($directoryName, '\\') !== false ||
-                    strpos($directoryName, '/') !== false) {
-                    //composer.json files below first directory are rejected
-                    continue;
+            $name = $zip->getNameIndex($i);
+            $dirname = dirname($name);
+
+            // handle archives with proper TOC
+            if ($dirname === '.') {
+                $topLevelPaths[$name] = true;
+                if (\count($topLevelPaths) > 1) {
+                    // archive can only contain one top level directory
+                    return false;
                 }
+                continue;
+            }
 
-                $length = strlen($stat['name']);
-                if ($indexOfShortestMatch === false || $length < $lengthOfShortestMatch) {
-                    //Check it's not a directory.
-                    $contents = $zip->getFromIndex($i);
-                    if ($contents !== false) {
-                        $indexOfShortestMatch = $i;
-                        $lengthOfShortestMatch = $length;
-                    }
+            // handle archives which do not have a TOC record for the directory itself
+            if (false === strpos('\\', $dirname) && false === strpos('/', $dirname)) {
+                $topLevelPaths[$dirname.'/'] = true;
+                if (\count($topLevelPaths) > 1) {
+                    // archive can only contain one top level directory
+                    return false;
                 }
             }
         }
 
-        return $indexOfShortestMatch;
+        if ($topLevelPaths && false !== ($index = $zip->locateName(key($topLevelPaths).$filename)) && $zip->getFromIndex($index) !== false) {
+            return $index;
+        }
+
+        // no composer.json found either at the top level or within the topmost directory
+        return false;
     }
 }
diff --git a/tests/Composer/Test/Repository/Fixtures/artifacts/composer-1.0.0-alpha6.zip b/tests/Composer/Test/Repository/Fixtures/artifacts/composer-1.0.0-alpha6.zip
index e94843eb614f84703773840a0b898a10ee8e1874..585b4f7ea0075fa9935849ea299e15eb4c11af2e 100644
GIT binary patch
delta 98
zcmaE@aZY~2LdMP8nY>vh?`0C$e4Bk0`{Z(gwUbqZRG8*6PW~t$IXPL#p2?31%-k#F
sz+}ukd7*&B<XRT~$$i2mOpjQ>+&jYJBCKo-K)?osB1{YnOL##%0Eqk>jsO4v

delta 979
zcmX>n|5{_iLdGaA1`wFIq}~b4fD)Vx0u1r-zK+iR!4dkQ5j+frO%Z`0{FPCJA;6oN
z1-mwRWNniJnZ-EadMDZ{@@k<=2kXV_xdg`tm*f|vf>i!!j0pS<#2{Oe6GW5K6Os}>
z`1*u>;1BBvXkeNk!K^MI&A5?Cp!tU*j{=`hD+6;F1JFI}9Q&NR6tsYj4`P`7fK_Jm
zc1BZ{$+pY_yn5(XGU>%nPG^?Q#%+9|D$w}Vk{wKaii(Z_Y97aB6rQ;UAL<Yg_dj?3
zs<)2D3D2wCo@+G<&w8KpKY7NR-D}#kB`>2Qq@`v{NY09mngMZ9fmH8-SfGnmGi-jq
zdW?PY6IKb#0I1iC4{~*M@paY9O#uafX<bC%hC8hR_ygc0p90&*ctZhJ8E2=a1wIq{
zj2(2^m$h(e@ojO`v$PM_H#gj=VQ;=sWoyKG3sZH|ohrum`WlA%wxX;4X$f>28F(yS
zse4-IoX;r}PhO@h1}%dtrY1&Pj7$vHt~0w3Xt3gH;0iO74O@UrQ{y#jS-~N^_|d`G
zE}(y2F-%^>yRja70^nrefu<k^hrf<<85xjM5eGaK1$Z+ui85n1LLSA4E67G9=jRsW
z7pE5K8tP4sVde%VE~t@{Kk^EzBa#3EgBFq@OBxlKklX=EmY_sn!Dr9BnTcUyqQvA$
zKxPUvnE8g!f!UJ<$P@>r68_1d{9@WYz`TKoOa=x$6tjP@VKLi{-<kO!JJ^)P{Nkn{
w&x$Z`0O1+Fa7RQyqPw%1AI&UXl;ptyPaXl@tUzlS7`TD(0W$+bsQ`!v0DM#ds{jB1

diff --git a/tests/Composer/Test/Repository/Fixtures/artifacts/jsonInFirstLevel.zip b/tests/Composer/Test/Repository/Fixtures/artifacts/jsonInFirstLevel.zip
index 498037464ca08d944c1d9349b59ab1c19ae47004..653b60095b3e93e8dd9181be46814f2269773dbb 100644
GIT binary patch
literal 519
zcmWIWW@h1H0D-E`4*`8lFHc(l*&r+e#KomaDVat3$@#ej`NgS4dRfK!dDRLEN_mO7
zsY+G~N+qeqCHf#i&pfxxqT&*t)UwnZB^?E&vecsD%=|o%8bdt;Jp(0$+5ossr9hkF
ze|-!S2igF_0tlN@D@uwI^-3yALVzY`=A|ouY(SzxhJYN#!7zPUkPFBV9;hLLXoeVp
zOyTy_)jN5{J6ywYDPw>)Ba=M?F2AY(wS#~Hn8faLE~qRcg9L-=x*K`T(bpJZbmf$W
z91tJb7EFI4+mZ#e2^zj|UnAS_?1pwG$V3=D?dpnjm<^EF!5#=u4*;q4Xf}X@B*2@M
R4Wxt_2-z7K7+!%m3;=?4hAsdA

literal 542
zcmWIWW@Zs#U|`^2n7%B?CH~jPFdiUJ9EdrAIJKgrC{eGZqJ-O1SMTH*?{E#rrHlb6
zTKbq?p0)rg1!0gu#idCpnML}^`MCx8#i>PlS;hHztHS~UPI;g44c!zJpanGP;(4ue
z=Rcn*KCPpr_t8_=`)uH)zyK|8U9EFx&NHtxykdO8I3Q>RD+8)c$c__0*hGXIk#!29
z=`_Oh9wQUPE7-#Xs2>TyZ4dB9)rKA}2tCF?Cbm#QHv!qzApau3Tp$x_0#5spb%Xqj
c0M~&`WZmEp2=HcQ11Vtv!f!xYh!MmC05v{@hyVZp

diff --git a/tests/Composer/Test/Repository/Fixtures/artifacts/jsonInFirstLevelWithExtraFirstLevel.zip b/tests/Composer/Test/Repository/Fixtures/artifacts/jsonInFirstLevelWithExtraFirstLevel.zip
new file mode 100644
index 0000000000000000000000000000000000000000..b400918b9c7ce2bde31d94f1d931c2a0e8123b8e
GIT binary patch
literal 595
zcmWIWW@Zs#U|`^2n7%B?CH~jPFdiUJ9EdrAIJKgrC{eGZqJ-O1SMTH*?{E#rrHlb^
zEkT_h0=irmO!EXP^#)>)LB*v>DVat3$@#ej`NgS4dRfK!d9J4oxf%?3STC$@vG-oP
zdUw-<cXt#MT!THF1dr_Q4!+L*Ua@IOx1rFSv%e2_=@_M(#_#;JGxh%R+oq;Y?km<z
z>;99=Vd!$<H<H!pt`$I7O~BFUIt9^m8e#gEkqP2A?12Q-j|AYh2Y53w*@J_Gg8?(3
zRG?ZEfV43XV+%Ge29PWR10#b3gHJ1~V{`O1Mi^b~qHG7^gKWX&I8c}%z&aokY72@R
jap?wy3j(|VGLdzILn*+Ul?|kX1qh`W85op-n1KNR5doK`

literal 0
HcmV?d00001

diff --git a/tests/Composer/Test/Repository/Fixtures/artifacts/not-an-artifact.zip b/tests/Composer/Test/Repository/Fixtures/artifacts/not-an-artifact.zip
index 3e788dcc25dee43047431a63c85c3b7217a8fdae..0979dcb16df9e5caaa182d841c3321c05f884f9d 100644
GIT binary patch
delta 74
zcmZ3Za6odye8$OX%wn5QGdXZh{>!s=@+v+RrrC^>FYrY$`!F#~Oq7`H%<sT#$P8qP
ZPoB#!F2c&j00gW+xSf%K;WHPA2LN~f6662?

delta 773
zcmX>gxkh2be8wm)1`wFKxZVlOfD)Vx0u1r-zK+iR!4dkQ5j+f04H1DL{FPCJA;6oN
z1-mwRWNnibxh2@4Iw#sH@@k<-7IKRR#_PER#|M|>7o~!%@BkVgRtK>nIYBfzJs~OK
zgRf862mY{*fCi=s63prX(u^CK1e$+1@+k26v@$S<F#sLI&auzAOF;|h@}S9j%(9!e
zGCFWhHfEN<w6H!t$koxs*Hte!1!SQq(6SA8S_43S!foM4J_WXq@rDAdGR{s-3w$Q@
z89V5-FKgk{;@je=XK5d<Z*I6#!`^(O%GQYW7N+W^J5`MB^)(FjZADl8(-P=5GVoZu
zQunmZIiFLW#=J~f3|a<POihfo7?~KXU1xS7&|t;Yz!hdD8@2$Mrp9a5vVwiI_|d`G
zE})NIF--o*wXq(1Xmc{~z~ao|uj6b+2IMH?fJa$?HzSiMGj=27QH;2RY(#Q?Zb5!=
zYLTv?-eetaetTF7fEXvjzyXBKi|U==fe&<x7LsvG8s(XgTr?RN;f(Q<+qvx-H%?aM
zk(zvgk$dtRZWHDtW`>E05|gcY9GKl%fK2hpQ+dQqK~9F)afUD45fL2dc5niN0G?1m
dcIY6-F$X-31H4(;K!L>xgwo6m48Ora2LOIBzxn_G

diff --git a/tests/Composer/Test/Util/Fixtures/Zip/multiple.zip b/tests/Composer/Test/Util/Fixtures/Zip/multiple.zip
index db8c50302d78e7512c043c4598fd62f518af151c..96c0959bbd5a61358708d7c4eb32e5e99e37caa6 100644
GIT binary patch
literal 936
zcmWIWW@Zs#0D&V3DSluEl;8l;Y56%RsYQnR0Z>&O410m9vKTsYCjezxBp4V3kyPoq
z1jh%L<QJvBy|$6}kb{8B#r^HglRflQ_8eioaPXv&=miEw-3hx(n&$Fw2YH{F?6$v^
zF{#pa{e=dvX)|L(e+MwAEJ#dCOKTUOS#|7;k4nQjzS7fdHy8PNI0Wyux}qzc(rvXe
zG&d`}eOGF8PN4eMRlaXu9XL}q$LKB3od!wc-{yvEzn3yTIxSc+p>A#iljshH9~?7e
zFH3`*&jt1t$dlLRi!;jsc_1u`<ox9P+=Be#)FQpC;{3d7E(IV^%1g{mRkBi0O3TmJ
zhX#fcS1lJTJQx`6;0!e*aHv771*u|ty4?lSS|feptTlpI%gAKUfGfIGz&>PP5P;IK
z$m3#A0E;j(0OL#J{-eT6R~Ub8ZqBWbzQ!ndE-42@2YACw#umjelN*5Mr~xs|WO#(5
zSmFNi4#*0I`qrNy8r2G1(SU5lQzR=;LI=efs843z=F0>5K<6vEPq0M}%o<P_nK8nA
zVx*63a>L0-|B%Dzdp)wrxFQs0as$xh7$lQ%dH`n4i2#1E2Y8mltYKvXn!&&dginD6
Jtp#ER1^_Zv^%?*G

literal 2569
zcmWIWW@h1H0D<cfDSluElwe^HU??t4(hrT`VL0)lCT1HDe`OS52mtC3Vc-D5y=Xdk
zp*r+jg5!fr@{3YITHArz+MrtB&hYg+Y#`8jzr`aW>9J_iOYJ9Y%ed5Eum*72cZaN;
zaO1hyoCT}rHJO$_(7EzMR7prBVnNskyOY0^Ds%kJwjF24`F0_sf&IaR+?UBr$ITWk
zIBoJHw=et7;;j7DKSRxJuOFOPWPgm;YD-4jPyO)b75;*!*R2!J-G1ZSj^|&WJ^lFQ
zWsTOVpKe!P<!zZI;KcE9cEmL6oB2{s9n30k`5XI6=I6fAe^F#`>@t|$qy1u1*_P$Z
zvM=ps&z`pNhrzl%+Hq%qa`wMc760+NN7~K(FCKsWzf*^O&(yDb<~`i2ATjaWtqr-;
zcQZc7?E9#?;6#6G`i~d<B};zi#Im&95MLkQ&CZc^#Q7Z~BLf4A1OqrMA))^WEi5^K
zVHqFq>*(ws90894P&B}z0J}C&6u`A1#~!j)?6D_-u2nA{XGA6^h$g2eBqe<C^$GjH
zAJ!4jz%)UESzSPyaig?A^AAynGYr8G6%I5oTeP*XIL;I`h<yR_EIS8x#{mmdU;?WE
zVo*YY_~H(l=XszBDJ?%ICAG*1?*IKr{)c!1U8f|P&gA^ug8bstBE78Q{5(){JODHT
zX3XkmK@3bw_Z+zsqN>fhbjzQbzgzyynQ}!*S#@2M9@x2TPq(|s0i6oM2<INb>s&*)
zb0=Up7d^*_qBz%3A0@y+84i(itoaTZ2)Ly8a(kQTY2Gbh$V+fN$+?4pHGIMMi;A}d
zH;DuVs5Vtj`Wn_%pDE+daO1;{_y!(@gT2OflWvH$tTQ{O*dpN6QJcK3<W8BiQ-`e4
zeE!yTCB@S7*{#ZwjbdMTnQz}1zd(8J3m@@am(HGbJ}qI_qb)7mW!M_A@OAilog?=P
z3ZDM_ZJ%iRpIfm`qWf{F%m+S}(|qg8UcYMl>h17he(UnQoQ2wV@9g5>*eL1`PU;LD
zxtoANhd-%<0s$q>LZTfJj)c>$0xl!a(lBz6QY{TbQX+byKuw8;`WPt@<Q7;8!Icu7
z;VJRjd~s&vlnAjjI0&`O7KElJ49h@4nD-V^dSF_%<cJd7qWZkz?NY!v1K|K~MkY~a
zT-5^)Pz4w`ymbW8km7~|URgkNBMKYjf{&L0p?gWA5mYx)^5=k89LSEqEF}@f{B^7Y
zma6cC6dD0>3CQR8j6inDU&pP;Mj(3#VGP1U$c32%iibX+8-tP#vHK0ZDC0pg@vUPu
z6C{8UMIyv|pt1}(ph2b}ms*lYrYvdPie?I0I^lp9kH{g0p0ZILrp1ixFi@t2I1H4u
zksSsq`m&J915p%*rJ$LDk`iFK7THngDFNBIzmAzKNGSmnjff%zJyl?jP6ZU#t-)m+
zTC}1%6k;+c^pG<zYJ}LcqJ|zuguqG(<e&uQdgN>>h~n5SP$Mynf|UUQ-mGk({K^Z2
L*MQ+J3+4d;JZ$R>

diff --git a/tests/Composer/Test/Util/Fixtures/Zip/single-sub.zip b/tests/Composer/Test/Util/Fixtures/Zip/single-sub.zip
new file mode 100644
index 0000000000000000000000000000000000000000..b8ccd4c76300549eb937b85666e320a8f5aeffde
GIT binary patch
literal 306
zcmWIWW@h1H0D<WdDSluElwe^HU??t4(hrT`VQ~FX6JrO&Ul~Oh0^mA=qf-3p^NP1i
z0d;_|AP|FeB<JTA<QJzF>17q?=T&nl0D)3oVs5IEm4Z@Qe!hNEVv!P8EmwdyBa<jI
zF3WkK&R}qO>j+{(oWcQj3P`s-14K8bLsX!;6@au6R5yyVxEMfE3=E765)2Hhl^wD#
kU14mwZs<}UeU0%X$2BJq9pKH%22#TWgbRUmHHgCi0GA^^2LJ#7

literal 0
HcmV?d00001

diff --git a/tests/Composer/Test/Util/Fixtures/Zip/subfolder.zip b/tests/Composer/Test/Util/Fixtures/Zip/subfolder.zip
deleted file mode 100644
index 93060bea23bf3efe8fec023cb6c2dd42ee44a80e..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 1328
zcmWIWW@h1H0D<WdDSluElwe^HU??t4(hrT`VQ~FX6JrO&Ul~Oh0)RS17&w4%2AU3D
zs17}s;P~K@{GwEl*6uGgF%D3zZ)bSt9WoGT`_CDex>9<*fOmYO^o~FaN4*AxTAik*
z2{)dL%~_!BcW{<<ftbO+m(Gl#v8qcydtMViDwjT~^(`mE$!kv~HZbrkQjLi@xM8cu
z3lo<4&nu3ts*)A|T(xnJUHE&Bo%Rn{O|_<&fBJuI|BBBwVOKX_uH9UJU(W3C-Qa4U
zpO0rey*>YzU)LgyQ-2i#pKZKtBI5c|F|oE_%ktS7iS<s)<CApWX84<5JXFXz_fp%o
zEsJgMx)fg&5|clq9^WOtam(Vr>*FE=|M50!NPqi(^6jtqz$w;lm-d`6t`T9;Jrwua
zFSm-5p}cqtKcnZLNQ*=1`#}c0c612b^@t<Do1LR)QPbZ4zz}AUU;u|CB<yFSg(N31
zB;(_K9i9DyBj6DLiUe2$VAlqU0Jt{fxI@;8J?<pXwd%#=jK<^y(d6`mq=XN?K4BmD
z!#V;Qm?lUts|!doZj=^i{vqmch9UT&!hr^6i?$XP$C;uAu`fWLW#{1TIACE4^n3*n
zgOU-%7wE}|8=8#L@^eyBi{RdeB_c%n3l2g}u^>Nyd=1r@oS$2eUz}Q`msOmf2TR3y
zZy|xW`dJVI)6zXh?u4jnvo788r{?dHBTB04qV&KHt<NjoE(LTX2nTpGGKn(d$|F2L
z6=2}-))7QQLY)JiV<5T_VU8UCybK84OB#)!x{-pN1D<=39f6rx5XSs<tYKt8q=C=~
zh)Y26kIx8Xm;80yjBEt5hY-dfJcJyl5-1*ehi(i?lEUsc%(Q^;+gry<CP)CoQwGF$
rpp=0e&Y*OG9D}IN+JtHdS}K8<2udXZ-mGk(7-a{-A3(1tF@tyjEIM%5

diff --git a/tests/Composer/Test/Util/Fixtures/Zip/subfolders.zip b/tests/Composer/Test/Util/Fixtures/Zip/subfolders.zip
new file mode 100644
index 0000000000000000000000000000000000000000..06827d6a4196502f6a6d99c14fc30b0165b1bc9d
GIT binary patch
literal 454
zcmWIWW@h1H0D<WdDSluElwe^HU??t4(hrT`VQ~FX6JrO&Ul~Oh0^mAkpy}X->PXAa
zNl7h&Yji-;D8j%2guy|mR!N|0OwP|O$S+PU(#tB&&x2W?_ZDLP>SsX=OiTA1xf7zQ
z&AN2UpPIi*jwq?Fi_!x+jGd!CuXwu@&;uYG;LXS+%8bi%JTSjHymbUIAztNxdlgwX
zrbm%=8$or$y$vx0<ZXx{2u~wBPl5qq$dblvR722$0AeC22m-uW*+9-^2EwaA`ZkEe
F001OOWwihR

literal 0
HcmV?d00001

diff --git a/tests/Composer/Test/Util/ZipTest.php b/tests/Composer/Test/Util/ZipTest.php
index 19dc54fa1..78c7e9657 100644
--- a/tests/Composer/Test/Util/ZipTest.php
+++ b/tests/Composer/Test/Util/ZipTest.php
@@ -20,7 +20,7 @@ use Composer\Test\TestCase;
  */
 class ZipTest extends TestCase
 {
-    public function testThrowsExceptionIfZipExcentionIsNotLoaded()
+    public function testThrowsExceptionIfZipExtensionIsNotLoaded()
     {
         if (extension_loaded('zip')) {
             $this->markTestSkipped('The PHP zip extension is loaded.');
@@ -74,7 +74,7 @@ class ZipTest extends TestCase
             return;
         }
 
-        $result = Zip::getComposerJson(__DIR__.'/Fixtures/Zip/subfolder.zip');
+        $result = Zip::getComposerJson(__DIR__.'/Fixtures/Zip/subfolders.zip');
 
         $this->assertNull($result);
     }
@@ -103,7 +103,7 @@ class ZipTest extends TestCase
         $this->assertEquals("{\n    \"name\": \"foo/bar\"\n}\n", $result);
     }
 
-    public function testReturnsRootComposerJsonAndSkipsSubfolders()
+    public function testMultipleTopLevelDirsIsInvalid()
     {
         if (!extension_loaded('zip')) {
             $this->markTestSkipped('The PHP zip extension is not loaded.');
@@ -112,6 +112,18 @@ class ZipTest extends TestCase
 
         $result = Zip::getComposerJson(__DIR__.'/Fixtures/Zip/multiple.zip');
 
+        $this->assertNull($result);
+    }
+
+    public function testReturnsComposerJsonFromFirstSubfolder()
+    {
+        if (!extension_loaded('zip')) {
+            $this->markTestSkipped('The PHP zip extension is not loaded.');
+            return;
+        }
+
+        $result = Zip::getComposerJson(__DIR__.'/Fixtures/Zip/single-sub.zip');
+
         $this->assertEquals("{\n    \"name\": \"foo/bar\"\n}\n", $result);
     }
 }