• Oliver Hader's avatar
    [SECURITY] Introduce PHP stream wrapper for phar:// protocol · b3b7d453
    Oliver Hader authored and Oliver Hader's avatar Oliver Hader committed
    This custom stream wrapper for the phar:// protocol overrides
    PHP's native handling. In case Phar bundles shall be loaded from
    a valid directory, the custom wrapper falls back to the native PHP
    wrapper in order to invoke Phar-related actions.
    In case the location is not trustworthy, an according exception
    is thrown. The custom stream wrapper is registered in the beginning
    of TYPO3's bootstrap class.
    Truested locations are those in typo3conf/ext/* - anything else is
    denied and not considered as trustworthy.
    Releases: master, 8.7, 7.6
    Resolves: #85385
    Security-Commit: efa085d9a5aebfac6b92309ea53c455b95a81fcc
    Security-Bulletin: TYPO3-CORE-SA-2018-002
    Change-Id: Ifd38eab7a5757e6cfbd6f773a3fed8f3d742e09d
    Reviewed-on: https://review.typo3.org/57558
    Reviewed-by: Oliver Hader's avatarOliver Hader <oliver.hader@typo3.org>
    Tested-by: Oliver Hader's avatarOliver Hader <oliver.hader@typo3.org>