VYPR
← All advisories
High severityCISA KEVNVD Advisory· Published Nov 19, 2020· Updated Oct 21, 2025

CVE-2020-28949

CVE-2020-28949

Description

Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
pear/archive_tarPackagist
< 1.4.111.4.11

Affected products

1
  • Archive_Tar/Archive_Tardescription

Patches

1
0670a05fdab9

Fixes #33 - ensure we catch additional malicious/crafted filenames

https://github.com/pear/Archive_TarMichiel RookNov 19, 2020via ghsa
commit
1 file changed · +4 4
  • Archive/Tar.php+4 4 modified
    @@ -1730,7 +1730,7 @@ public function _readHeader($v_binary_data, &$v_header)
 
         // ----- Extract the properties
         $v_header['filename'] = rtrim($v_data['filename'], "\0");
-        if ($this->_maliciousFilename($v_header['filename'])) {
+        if ($this->_isMaliciousFilename($v_header['filename'])) {
             $this->_error(
                 'Malicious .tar detected, file "' . $v_header['filename'] .
                 '" will not install in desired directory tree'
@@ -1800,9 +1800,9 @@ private function _tarRecToSize($tar_size)
      *
      * @return bool
      */
-    private function _maliciousFilename($file)
+    private function _isMaliciousFilename($file)
     {
-        if (strpos($file, 'phar://') === 0) {
+        if (strpos($file, '://') !== false) {
             return true;
         }
         if (strpos($file, '../') !== false || strpos($file, '..\\') !== false) {
@@ -1838,7 +1838,7 @@ public function _readLongHeader(&$v_header)
 
         $v_filename = rtrim(substr($v_filename, 0, $v_filesize), "\0");
         $v_header['filename'] = $v_filename;
-        if ($this->_maliciousFilename($v_filename)) {
+        if ($this->_isMaliciousFilename($v_filename)) {
             $this->_error(
                 'Malicious .tar detected, file "' . $v_filename .
                 '" will not install in desired directory tree'

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

29

News mentions

0

No linked articles in our index yet.