[SECURITY] Mitigate phar stream wrapper 59/57559/2
authorChristian Kuhn <lolli@schwarzbu.ch>
Thu, 12 Jul 2018 09:35:37 +0000 (11:35 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Thu, 12 Jul 2018 09:35:41 +0000 (11:35 +0200)
SoftReferenceIndex throws exceptions on phar streams
LegacyLinkNotationConverter throws exceptions on phar streams

Resolves: #85385
Releases: master, 8.7, 7.6
Security-Commit: 4fde9d6a2333435af9033f55e9a5e2d428f6ea0d
Security-Bulletin: TYPO3-CORE-SA-2018-002
Change-Id: I69333fff4d94dc7369ba729333a39e8be5dda7a3
Reviewed-on: https://review.typo3.org/57559
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/core/Classes/Database/SoftReferenceIndex.php
typo3/sysext/core/Classes/LinkHandling/LegacyLinkNotationConverter.php
typo3/sysext/core/Tests/Unit/Database/SoftReferenceIndexTest.php [new file with mode: 0644]
typo3/sysext/core/Tests/Unit/LinkHandling/LegacyLinkNotationConverterTest.php

index 5c8762e..7478ba7 100644 (file)
@@ -445,6 +445,13 @@ class SoftReferenceIndex
         // we define various keys below, "url" might be misleading
         unset($finalTagParts['url']);
 
+        if (stripos(rawurldecode(trim($link_param)), 'phar://') === 0) {
+            throw new \RuntimeException(
+                'phar scheme not allowed as soft reference target',
+                1530030672
+            );
+        }
+
         // Parse URL:
         $pU = @parse_url($link_param);
 
index 8ce1064..b6d88d2 100644 (file)
@@ -56,6 +56,13 @@ class LegacyLinkNotationConverter
      */
     public function resolve(string $linkParameter): array
     {
+        if (stripos(rawurldecode(trim($linkParameter)), 'phar://') === 0) {
+            throw new \RuntimeException(
+                'phar scheme not allowed as soft reference target',
+                1530030673
+            );
+        }
+
         $result = [];
         // Parse URL scheme
         $scheme = parse_url($linkParameter, PHP_URL_SCHEME);
diff --git a/typo3/sysext/core/Tests/Unit/Database/SoftReferenceIndexTest.php b/typo3/sysext/core/Tests/Unit/Database/SoftReferenceIndexTest.php
new file mode 100644 (file)
index 0000000..69a20aa
--- /dev/null
@@ -0,0 +1,57 @@
+<?php
+declare(strict_types = 1);
+namespace TYPO3\CMS\Core\Tests\Unit\Database;
+
+/*
+ * This file is part of the TYPO3 CMS project.
+ *
+ * It is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License, either version 2
+ * of the License, or any later version.
+ *
+ * For the full copyright and license information, please read the
+ * LICENSE.txt file that was distributed with this source code.
+ *
+ * The TYPO3 project - inspiring people to share!
+ */
+
+use TYPO3\CMS\Core\Database\SoftReferenceIndex;
+use TYPO3\TestingFramework\Core\Unit\UnitTestCase;
+
+/**
+ * Test case
+ */
+class SoftReferenceIndexTest extends UnitTestCase
+{
+    /**
+     * @return array
+     */
+    public function getTypoLinkPartsThrowExceptionWithPharReferencesDataProvider(): array
+    {
+        return [
+            'URL encoded local' => [
+                'phar%3a//some-file.jpg',
+            ],
+            'URL encoded absolute' => [
+                'phar%3a///path/some-file.jpg',
+            ],
+            'not URL encoded local' => [
+                'phar://some-file.jpg',
+            ],
+            'not URL encoded absolute' => [
+                'phar:///path/some-file.jpg',
+            ],
+        ];
+    }
+
+    /**
+     * @test
+     * @dataProvider getTypoLinkPartsThrowExceptionWithPharReferencesDataProvider
+     */
+    public function getTypoLinkPartsThrowExceptionWithPharReferences(string $pharUrl)
+    {
+        $this->expectException(\RuntimeException::class);
+        $this->expectExceptionCode(1530030672);
+        (new SoftReferenceIndex())->getTypoLinkParts($pharUrl);
+    }
+}
index 6124851..701b9cc 100644 (file)
@@ -280,4 +280,36 @@ class LegacyLinkNotationConverterTest extends UnitTestCase
         $subject = new LinkService();
         $this->assertEquals($expected, $subject->asString($parameters));
     }
+
+    /**
+     * @return array
+     */
+    public function resolveThrowExceptionWithPharReferencesDataProvider(): array
+    {
+        return [
+            'URL encoded local' => [
+                'phar%3a//some-file.jpg',
+            ],
+            'URL encoded absolute' => [
+                'phar%3a///path/some-file.jpg',
+            ],
+            'not URL encoded local' => [
+                'phar://some-file.jpg',
+            ],
+            'not URL encoded absolute' => [
+                'phar:///path/some-file.jpg',
+            ],
+        ];
+    }
+
+    /**
+     * @test
+     * @dataProvider resolveThrowExceptionWithPharReferencesDataProvider
+     */
+    public function resolveThrowExceptionWithPharReferences(string $pharUrl)
+    {
+        $this->expectException(\RuntimeException::class);
+        $this->expectExceptionCode(1530030673);
+        (new LegacyLinkNotationConverter())->resolve($pharUrl);
+    }
 }