[SECURITY] Introduce PHP stream wrapper for phar:// protocol 58/57558/2
authorOliver Hader <oliver@typo3.org>
Thu, 12 Jul 2018 09:35:24 +0000 (11:35 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Thu, 12 Jul 2018 09:35:29 +0000 (11:35 +0200)
commitb3b7d453a20e140a1d81d609ef4b9c61932238ab
tree6de727ed3bc899d64d7ebc2e20c988c000c3bd60
parent79260b2d9176096b33fd6ba97a255d9d8febbd30
[SECURITY] Introduce PHP stream wrapper for phar:// protocol

This custom stream wrapper for the phar:// protocol overrides
PHP's native handling. In case Phar bundles shall be loaded from
a valid directory, the custom wrapper falls back to the native PHP
wrapper in order to invoke Phar-related actions.

In case the location is not trustworthy, an according exception
is thrown. The custom stream wrapper is registered in the beginning
of TYPO3's bootstrap class.

Truested locations are those in typo3conf/ext/* - anything else is
denied and not considered as trustworthy.

Releases: master, 8.7, 7.6
Resolves: #85385
Security-Commit: efa085d9a5aebfac6b92309ea53c455b95a81fcc
Security-Bulletin: TYPO3-CORE-SA-2018-002
Change-Id: Ifd38eab7a5757e6cfbd6f773a3fed8f3d742e09d
Reviewed-on: https://review.typo3.org/57558
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/core/Classes/Core/Bootstrap.php
typo3/sysext/core/Classes/IO/PharStreamWrapper.php [new file with mode: 0644]
typo3/sysext/core/Classes/IO/PharStreamWrapperException.php [new file with mode: 0644]
typo3/sysext/core/Tests/Functional/Fixtures/Extensions/test_resources/bundle.phar [new file with mode: 0644]
typo3/sysext/core/Tests/Functional/Fixtures/Extensions/test_resources/ext_emconf.php [new file with mode: 0644]
typo3/sysext/core/Tests/Functional/IO/PharStreamWrapperTest.php [new file with mode: 0644]