[SECURITY] Introduce PHP stream wrapper for phar:// protocol
This custom stream wrapper for the phar:// protocol overrides PHP's native handling. In case Phar bundles shall be loaded from a valid directory, the custom wrapper falls back to the native PHP wrapper in order to invoke Phar-related actions. In case the location is not trustworthy, an according exception is thrown. The custom stream wrapper is registered in the beginning of TYPO3's bootstrap class. Truested locations are those in typo3conf/ext/* - anything else is denied and not considered as trustworthy. Releases: master, 8.7, 7.6 Resolves: #85385 Security-Commit: efa085d9a5aebfac6b92309ea53c455b95a81fcc Security-Bulletin: TYPO3-CORE-SA-2018-002 Change-Id: Ifd38eab7a5757e6cfbd6f773a3fed8f3d742e09d Reviewed-on: https://review.typo3.org/57558 Reviewed-by:Oliver Hader <oliver.hader@typo3.org> Tested-by:
Showing
- typo3/sysext/core/Classes/Core/Bootstrap.php 13 additions, 0 deletionstypo3/sysext/core/Classes/Core/Bootstrap.php
- typo3/sysext/core/Classes/IO/PharStreamWrapper.php 557 additions, 0 deletionstypo3/sysext/core/Classes/IO/PharStreamWrapper.php
- typo3/sysext/core/Classes/IO/PharStreamWrapperException.php 20 additions, 0 deletionstypo3/sysext/core/Classes/IO/PharStreamWrapperException.php
- typo3/sysext/core/Tests/Functional/Fixtures/Extensions/test_resources/bundle.phar 0 additions, 0 deletions...Functional/Fixtures/Extensions/test_resources/bundle.phar
- typo3/sysext/core/Tests/Functional/Fixtures/Extensions/test_resources/ext_emconf.php 21 additions, 0 deletions...ctional/Fixtures/Extensions/test_resources/ext_emconf.php
- typo3/sysext/core/Tests/Functional/IO/PharStreamWrapperTest.php 402 additions, 0 deletions...sysext/core/Tests/Functional/IO/PharStreamWrapperTest.php
Please register or sign in to comment