root / drupal7 / misc / typo3 / phar-stream-wrapper / src / Interceptor / PharMetaDataInterceptor.php @ fbb66ca6
1 | fbb66ca6 | Assos Assos | <?php
|
---|---|---|---|
2 | namespace TYPO3\PharStreamWrapper\Interceptor; |
||
3 | |||
4 | /*
|
||
5 | * This file is part of the TYPO3 project.
|
||
6 | *
|
||
7 | * It is free software; you can redistribute it and/or modify it under the terms
|
||
8 | * of the MIT License (MIT). For the full copyright and license information,
|
||
9 | * please read the LICENSE file that was distributed with this source code.
|
||
10 | *
|
||
11 | * The TYPO3 project - inspiring people to share!
|
||
12 | */
|
||
13 | |||
14 | use TYPO3\PharStreamWrapper\Assertable; |
||
15 | use TYPO3\PharStreamWrapper\Exception; |
||
16 | use TYPO3\PharStreamWrapper\Manager; |
||
17 | use TYPO3\PharStreamWrapper\Phar\DeserializationException; |
||
18 | use TYPO3\PharStreamWrapper\Phar\Reader; |
||
19 | |||
20 | /**
|
||
21 | * @internal Experimental implementation of checking against serialized objects in Phar meta-data
|
||
22 | * @internal This functionality has not been 100% pentested...
|
||
23 | */
|
||
24 | class PharMetaDataInterceptor implements Assertable |
||
25 | { |
||
26 | /**
|
||
27 | * Determines whether the according Phar archive contains
|
||
28 | * (potential insecure) serialized objects.
|
||
29 | *
|
||
30 | * @param string $path
|
||
31 | * @param string $command
|
||
32 | * @return bool
|
||
33 | * @throws Exception
|
||
34 | */
|
||
35 | public function assert($path, $command) |
||
36 | { |
||
37 | if ($this->baseFileDoesNotHaveMetaDataIssues($path)) { |
||
38 | return true; |
||
39 | } |
||
40 | throw new Exception( |
||
41 | sprintf(
|
||
42 | 'Problematic meta-data in "%s"',
|
||
43 | $path
|
||
44 | ), |
||
45 | 1539632368
|
||
46 | ); |
||
47 | } |
||
48 | |||
49 | /**
|
||
50 | * @param string $path
|
||
51 | * @return bool
|
||
52 | */
|
||
53 | private function baseFileDoesNotHaveMetaDataIssues($path) |
||
54 | { |
||
55 | $invocation = Manager::instance()->resolve($path); |
||
56 | if ($invocation === null) { |
||
57 | return false; |
||
58 | } |
||
59 | // directly return in case invocation was checked before
|
||
60 | if ($invocation->getVariable(__CLASS__) === true) { |
||
61 | return true; |
||
62 | } |
||
63 | // otherwise analyze meta-data
|
||
64 | try {
|
||
65 | $reader = new Reader($invocation->getBaseName()); |
||
66 | $reader->resolveContainer()->getManifest()->deserializeMetaData();
|
||
67 | $invocation->setVariable(__CLASS__, true); |
||
68 | } catch (DeserializationException $exception) { |
||
69 | return false; |
||
70 | } |
||
71 | return true; |
||
72 | } |
||
73 | } |