[SECURITY] Mitigate phar stream wrapper
[Packages/TYPO3.CMS.git] / typo3 / sysext / core / Classes / Database / SoftReferenceIndex.php
index 5c8762e..7478ba7 100644 (file)
@@ -445,6 +445,13 @@ class SoftReferenceIndex
         // we define various keys below, "url" might be misleading
         unset($finalTagParts['url']);
 
+        if (stripos(rawurldecode(trim($link_param)), 'phar://') === 0) {
+            throw new \RuntimeException(
+                'phar scheme not allowed as soft reference target',
+                1530030672
+            );
+        }
+
         // Parse URL:
         $pU = @parse_url($link_param);