Upload: Fallback to PclZip to validate ZIP file uploads.

ZipArchive can fail to validate ZIP files correctly and report valid files as invalid. This introduces a fallback to PclZip to check validity of files if ZipArchive fails them.

This introduces the new function wp_zip_file_is_valid() to validate archives.

Follow up to [57388].

Reviewed by jorbin.
Merges [57537] to the 6.4 branch.

Props audunmb, azaozz, britner, cdevroe, colorful-tones, costdev, courane01, endymion00, feastdesignco, halounsbury, jeffpaul, johnbillion, jorbin, jsandtro, karinclimber, kevincoleman, koesper, maartenbelmans, mathewemoore, melcarthus, mujuonly, nerdpressteam, olegfuture, otto42, peterwilsoncc, room34, sayful, schutzsmith, stephencronin, svitlana41319, swissspidy, tnolte, tobiasbg, vikram6, welaunchio.
Fixes #60398.


git-svn-id: https://develop.svn.wordpress.org/branches/6.4@57929 602fd350-edb4-49c9-b593-d223f7449a82

Author: aaronjorbin

src/wp-admin/includes/class-file-upload-upgrader.php

@@ -70,24 +70,7 @@ public function __construct( $form, $urlholder ) {
 			}
 
 			if ( 'pluginzip' === $form || 'themezip' === $form ) {
-				$archive_is_valid = false;
-
-				/** This filter is documented in wp-admin/includes/file.php */
-				if ( class_exists( 'ZipArchive', false ) && apply_filters( 'unzip_file_use_ziparchive', true ) ) {
-					$archive          = new ZipArchive();
-					$archive_is_valid = $archive->open( $file['file'], ZIPARCHIVE::CHECKCONS );
-
-					if ( true === $archive_is_valid ) {
-						$archive->close();
-					}
-				} else {
-					require_once ABSPATH . 'wp-admin/includes/class-pclzip.php';
-
-					$archive          = new PclZip( $file['file'] );
-					$archive_is_valid = is_array( $archive->properties() );
-				}
-
-				if ( true !== $archive_is_valid ) {
+				if ( ! wp_zip_file_is_valid( $file['file'] ) ) {
 					wp_delete_file( $file['file'] );
 					wp_die( __( 'Incompatible Archive.' ) );
 				}

src/wp-admin/includes/file.php

@@ -1563,6 +1563,37 @@ function wp_trusted_keys() {
 	return apply_filters( 'wp_trusted_keys', $trusted_keys );
 }
 
+/**
+ * Determines whether the given file is a valid ZIP file.
+ *
+ * This function does not test to ensure that a file exists. Non-existent files
+ * are not valid ZIPs, so those will also return false.
+ *
+ * @since 6.4.4
+ *
+ * @param string $file Full path to the ZIP file.
+ * @return bool Whether the file is a valid ZIP file.
+ */
+function wp_zip_file_is_valid( $file ) {
+	/** This filter is documented in wp-admin/includes/file.php */
+	if ( class_exists( 'ZipArchive', false ) && apply_filters( 'unzip_file_use_ziparchive', true ) ) {
+		$archive          = new ZipArchive();
+		$archive_is_valid = $archive->open( $file, ZipArchive::CHECKCONS );
+		if ( true === $archive_is_valid ) {
+			$archive->close();
+			return true;
+		}
+	}
+
+	// Fall through to PclZip if ZipArchive is not available, or encountered an error opening the file.
+	require_once ABSPATH . 'wp-admin/includes/class-pclzip.php';
+
+	$archive          = new PclZip( $file );
+	$archive_is_valid = is_array( $archive->properties() );
+
+	return $archive_is_valid;
+}
+
 /**
  * Unzips a specified ZIP file to a location on the filesystem via the WordPress
  * Filesystem Abstraction.

tests/phpunit/data/filesystem/_source-license

@@ -0,0 +1,33 @@
+The following files were sourced from https://github.com/ZJONSSON/node-unzipper a fork of https://github.com/EvanOxfeld/node-unzip
+
+* archive-comment.zip
+* archive-cp866.zip
+* archive-directory-entry.zip
+* archive-encrypted.zip
+* archive-flags-set.zip
+* archive-invalid.zip
+* archive-large.zip
+* archive-uncompressed.zip
+* archive.crx
+
+Copyright (c) 2012 - 2013 Near Infinity Corporation
+Copyright (c) 2016 - 2024 Ziggy Jonsson ([email protected])
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

tests/phpunit/data/filesystem/archive-comment.zip

@@ -0,0 +1,7 @@
+# Shucked
+
+Shucked is a 2022 musical with music and lyrics by Brandy Clark and Shane McAnally, and a book by Robert Horn. The Broadway production began previews at the Nederlander Theatre on March 8, 2023, before opening on April 4. The show received positive reviews and went on to receive nine nominations at the 76th Tony Awards, including Best Musical. Cast member Alex Newell became one of the first two openly non-binary performers to be nominated for and win a Tony Award, with their win for Best Featured Actor in a Musical.
+
+A U.S. tour, West End production, and feature film adaptation are currently planned.
+
+From Wikipedia (https://en.wikipedia.org/wiki/Shucked) under Creative Commons Attribution CC-BY-SA 3.0 (https://creativecommons.org/licenses/by-sa/3.0/legalcode)