[TASK] Enable PharMetaDataInterceptor
Enable experimental checking of serialized Phar meta-data against PHP objects. This would consider a Phar archive malicious in case not only scalar values are found. A custom low-level Phar\Reader is used in order to avoid using PHP's Phar object which would trigger the initial vulnerability. Resolves: #90010 Releases: master Change-Id: Ifda811fab44bdbb8f4858d18e392e0f321dbf1be Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62760 Tested-by:TYPO3com <noreply@typo3.com> Tested-by:
Benni Mack <benni@typo3.org> Tested-by:
Susanne Moog <look@susi.dev> Reviewed-by:
Showing
- typo3/sysext/core/Classes/Core/Bootstrap.php 6 additions, 1 deletiontypo3/sysext/core/Classes/Core/Bootstrap.php
- typo3/sysext/core/Tests/Functional/Fixtures/Extensions/test_resources/compromised.phar 0 additions, 0 deletions...ional/Fixtures/Extensions/test_resources/compromised.phar
- typo3/sysext/core/Tests/Functional/IO/PharStreamWrapperInterceptorTest.php 16 additions, 7 deletions.../Tests/Functional/IO/PharStreamWrapperInterceptorTest.php
Please register or sign in to comment