.h5p files with zipfile records for directories are rejected as invalid

Question

.h5p files with zipfile records for directories are rejected as invalid

Opened this issue 5 years ago · 0 comments

Zip files may contain records for directories as well as files. For example, if our tree is

h5p.json
Mylib/
|- semantics.json
|- library.json

the records present in our zip file might be

h5p.json
Mylib/
Mylib/semantics.json
Mylib/library.json

or

h5p.json
Mylib/semantics.json
Mylib/library.json

ie, the Mylib/ entry may or may not be present.

Currently, the HP5Validator class rejects the first case while checking for invalid file extensions. Worse, it provides no specific error message that directory records are not allowed, and instead complains about the directory name having a bogus file extension.

The relevant code was introduced here:

366d8f2#diff-5ca86cd0514d58be6708beff914aba66R829

On UN*X systems, the most straightforward way to create a .h5p file from a directory tree is using the zip utility. For example: $ zip ../mylib.h5p -r . might be used to create the .h5p file from the tree in our previous example. This invokation, however, will create a record for the Mylib/ directory as described above, and the resulting .h5p file will be rejected.

A possible fix might include checking for directories by checking whether the file name ends with a slash. The following additions make the validation succeed for me:

      elseif ($canInstall && strpos($fileName, '/') !== FALSE) {
+        // directory record
+        if (substr($fileName, -1) === '/') {
+          continue;
+        }
        // This is a library file, check that the file type is allowed
        if ($this->h5pC->disableFileCheck !== TRUE && !preg_match($libraryRegExp, $fileName)) {

I'm not submitting a pull request for this yet because I assume there are probably other sanity checks that would make sense here.