[SECURITY] Mitigate phar stream wrapper
[Packages/TYPO3.CMS.git] / typo3 / sysext / core / Classes / LinkHandling / LegacyLinkNotationConverter.php
index 8ce1064..b6d88d2 100644 (file)
@@ -56,6 +56,13 @@ class LegacyLinkNotationConverter
      */
     public function resolve(string $linkParameter): array
     {
+        if (stripos(rawurldecode(trim($linkParameter)), 'phar://') === 0) {
+            throw new \RuntimeException(
+                'phar scheme not allowed as soft reference target',
+                1530030673
+            );
+        }
+
         $result = [];
         // Parse URL scheme
         $scheme = parse_url($linkParameter, PHP_URL_SCHEME);