[SECURITY] Introduce PHP stream wrapper for phar:// protocol
This custom stream wrapper for the phar:// protocol overrides PHP's native handling. In case Phar bundles shall be loaded from a valid directory, the custom wrapper falls back to the native PHP wrapper in order to invoke Phar-related actions. In case the location is not trustworthy, an according exception is thrown. The custom stream wrapper is registered in the beginning of TYPO3's bootstrap class. Truested locations are those in typo3conf/ext/* - anything else is denied and not considered as trustworthy. Releases: master, 8.7, 7.6 Resolves: #85385 Security-Commit: 86f79d23a2c198fb3054b1d1f9414226f955c66d Security-Bulletin: TYPO3-CORE-SA-2018-002 Change-Id: I8c6499ca8dea31bdfc7ed9fba0b479b4a7715f4a Reviewed-on: https://review.typo3.org/57540 Reviewed-by:Oliver Hader <oliver.hader@typo3.org> Tested-by:
Showing
- typo3/sysext/core/Classes/Core/Bootstrap.php 14 additions, 1 deletiontypo3/sysext/core/Classes/Core/Bootstrap.php
- typo3/sysext/core/Classes/IO/PharStreamWrapper.php 536 additions, 0 deletionstypo3/sysext/core/Classes/IO/PharStreamWrapper.php
- typo3/sysext/core/Classes/IO/PharStreamWrapperException.php 19 additions, 0 deletionstypo3/sysext/core/Classes/IO/PharStreamWrapperException.php
- typo3/sysext/core/Tests/Functional/Fixtures/Extensions/test_resources/bundle.phar 0 additions, 0 deletions...Functional/Fixtures/Extensions/test_resources/bundle.phar
- typo3/sysext/core/Tests/Functional/Fixtures/Extensions/test_resources/ext_emconf.php 21 additions, 0 deletions...ctional/Fixtures/Extensions/test_resources/ext_emconf.php
- typo3/sysext/core/Tests/Functional/IO/PharStreamWrapperTest.php 395 additions, 0 deletions...sysext/core/Tests/Functional/IO/PharStreamWrapperTest.php
Please register or sign in to comment