root / drupal7 / misc / typo3 / drupal-security / PharExtensionInterceptor.php @ cd5c298a
| 1 |
<?php
|
|---|---|
| 2 |
|
| 3 |
namespace Drupal\Core\Security; |
| 4 |
|
| 5 |
use TYPO3\PharStreamWrapper\Assertable; |
| 6 |
use TYPO3\PharStreamWrapper\Helper; |
| 7 |
use TYPO3\PharStreamWrapper\Exception; |
| 8 |
|
| 9 |
/**
|
| 10 |
* An alternate PharExtensionInterceptor to support phar-based CLI tools.
|
| 11 |
*
|
| 12 |
* @see \TYPO3\PharStreamWrapper\Interceptor\PharExtensionInterceptor
|
| 13 |
*/
|
| 14 |
class PharExtensionInterceptor implements Assertable { |
| 15 |
|
| 16 |
/**
|
| 17 |
* Determines whether phar file is allowed to execute.
|
| 18 |
*
|
| 19 |
* The phar file is allowed to execute if:
|
| 20 |
* - the base file name has a ".phar" suffix.
|
| 21 |
* - it is the CLI tool that has invoked the interceptor.
|
| 22 |
*
|
| 23 |
* @param string $path
|
| 24 |
* The path of the phar file to check.
|
| 25 |
* @param string $command
|
| 26 |
* The command being carried out.
|
| 27 |
*
|
| 28 |
* @return bool
|
| 29 |
* TRUE if the phar file is allowed to execute.
|
| 30 |
*
|
| 31 |
* @throws Exception
|
| 32 |
* Thrown when the file is not allowed to execute.
|
| 33 |
*/
|
| 34 |
public function assert($path, $command) { |
| 35 |
if ($this->baseFileContainsPharExtension($path)) { |
| 36 |
return TRUE; |
| 37 |
} |
| 38 |
throw new Exception( |
| 39 |
sprintf(
|
| 40 |
'Unexpected file extension in "%s"',
|
| 41 |
$path
|
| 42 |
), |
| 43 |
1535198703
|
| 44 |
); |
| 45 |
} |
| 46 |
|
| 47 |
/**
|
| 48 |
* Determines if a path has a .phar extension or invoked execution.
|
| 49 |
*
|
| 50 |
* @param string $path
|
| 51 |
* The path of the phar file to check.
|
| 52 |
*
|
| 53 |
* @return bool
|
| 54 |
* TRUE if the file has a .phar extension or if the execution has been
|
| 55 |
* invoked by the phar file.
|
| 56 |
*/
|
| 57 |
private function baseFileContainsPharExtension($path) { |
| 58 |
$baseFile = Helper::determineBaseFile($path); |
| 59 |
if ($baseFile === NULL) { |
| 60 |
return FALSE; |
| 61 |
} |
| 62 |
// If the stream wrapper is registered by invoking a phar file that does
|
| 63 |
// not not have .phar extension then this should be allowed. For
|
| 64 |
// example, some CLI tools recommend removing the extension.
|
| 65 |
$backtrace = debug_backtrace(DEBUG_BACKTRACE_IGNORE_ARGS); |
| 66 |
// Find the last entry in the backtrace containing a 'file' key as
|
| 67 |
// sometimes the last caller is executed outside the scope of a file. For
|
| 68 |
// example, this occurs with shutdown functions.
|
| 69 |
do {
|
| 70 |
$caller = array_pop($backtrace); |
| 71 |
} while (empty($caller['file']) && !empty($backtrace)); |
| 72 |
if (isset($caller['file']) && $baseFile === Helper::determineBaseFile($caller['file'])) { |
| 73 |
return TRUE; |
| 74 |
} |
| 75 |
$fileExtension = pathinfo($baseFile, PATHINFO_EXTENSION); |
| 76 |
return strtolower($fileExtension) === 'phar'; |
| 77 |
} |
| 78 |
|
| 79 |
} |