[SECURITY] Introduce PHP stream wrapper for phar:// protocol 44/57544/2
authorOliver Hader <oliver@typo3.org>
Thu, 12 Jul 2018 09:31:53 +0000 (11:31 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Thu, 12 Jul 2018 09:31:58 +0000 (11:31 +0200)
commitd7d1de4396e85af219bb4c1e7d4e0116b534e37d
treed30d40d718b7afaa377f5d9f50a07d49d4412fcd
parentcbaf75ce331327a2af360ca05be1fc6c9ffd5c6c
[SECURITY] Introduce PHP stream wrapper for phar:// protocol

This custom stream wrapper for the phar:// protocol overrides
PHP's native handling. In case Phar bundles shall be loaded from
a valid directory, the custom wrapper falls back to the native PHP
wrapper in order to invoke Phar-related actions.

In case the location is not trustworthy, an according exception
is thrown. The custom stream wrapper is registered in the beginning
of TYPO3's bootstrap class.

Truested locations are those in typo3conf/ext/* - anything else is
denied and not considered as trustworthy.

Releases: master, 8.7, 7.6
Resolves: #85385
Security-Commit: 2af49af902fe57e476d97d49487008557b5dc2bc
Security-Bulletin: TYPO3-CORE-SA-2018-002
Change-Id: I256f5061075b64dd74b3b065b7f9bacda27a63bb
Reviewed-on: https://review.typo3.org/57544
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/core/Classes/Core/Bootstrap.php
typo3/sysext/core/Classes/IO/PharStreamWrapper.php [new file with mode: 0644]
typo3/sysext/core/Classes/IO/PharStreamWrapperException.php [new file with mode: 0644]
typo3/sysext/core/Tests/Functional/Fixtures/Extensions/test_resources/bundle.phar [new file with mode: 0644]
typo3/sysext/core/Tests/Functional/Fixtures/Extensions/test_resources/ext_emconf.php [new file with mode: 0644]
typo3/sysext/core/Tests/Functional/IO/PharStreamWrapperTest.php [new file with mode: 0644]