Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#47859] - security: validate ZIP entry paths in TemplateModel::extractArchive() to prevent Zip Slip

Pending

User tests: Successful: Unsuccessful:

avatar XananasX7
XananasX7
31 May 2026

Pull Request resolves #

  • I read the Generative AI policy and my contribution is either not created with the help of AI or is compatible with the policy and GNU/GPL 2 or later.

Summary of Changes

This PR validates ZIP entry paths in TemplateModel::extractArchive() to prevent a Zip Slip path traversal vulnerability.

Issue: extractArchive() calls $zip->extractTo($path) without checking whether archive entries contain ../ sequences that could escape the target directory. A maliciously crafted template ZIP could overwrite files outside the template directory (e.g., ../../configuration.php).

Fix: Before extracting, iterate all entries and reject any whose real path falls outside the intended extraction root. Returns an error if any traversal attempt is detected.

Testing Instructions

  1. Apply the patch.
  2. Normal template installation continues to work.
  3. Create a ZIP with an entry named ../../evil.php and attempt to install it as a template — the installation should fail with an error message.

Actual result BEFORE applying this Pull Request

A template ZIP with traversal paths (../) can extract files outside the template directory.

Expected result AFTER applying this Pull Request

ZIP entries with paths outside the target directory are detected and extraction is aborted with an error.

Link to documentations

  • No documentation changes for guide.joomla.org needed
  • No documentation changes for manual.joomla.org needed
avatar XananasX7 XananasX7 - open - 31 May 2026
avatar XananasX7 XananasX7 - change - 31 May 2026
Status New Pending
avatar joomla-cms-bot joomla-cms-bot - change - 31 May 2026
Category Administration com_templates Language & Strings
avatar brianteeman
brianteeman - comment - 31 May 2026

There was a reason that you were given a template to complete when you submitted this PR. Please update your pr with the required information. You can find the template here https://github.com/joomla/joomla-cms/blob/5.4-dev/.github/PULL_REQUEST_TEMPLATE.md

In addition please read https://github.com/joomla/joomla-cms/security

avatar XananasX7 XananasX7 - change - 31 May 2026
The description was changed
avatar XananasX7 XananasX7 - edited - 31 May 2026
avatar XananasX7
XananasX7 - comment - 31 May 2026

Apologies @brianteeman — PR description has been updated with the full template including summary, testing instructions, before/after results, and documentation checkboxes.

Add a Comment

Login with GitHub to post a comment