Révision fbb66ca6
Ajouté par Assos Assos il y a presque 5 ans
drupal7/misc/typo3/phar-stream-wrapper/README.md | ||
---|---|---|
63 | 63 |
|
64 | 64 |
``` |
65 | 65 |
$behavior = new \TYPO3\PharStreamWrapper\Behavior(); |
66 |
Manager::initialize( |
|
66 |
\TYPO3\PharStreamWrapper\Manager::initialize(
|
|
67 | 67 |
$behavior->withAssertion(new PharExtensionInterceptor()) |
68 | 68 |
); |
69 | 69 |
|
... | ... | |
90 | 90 |
+ `COMMAND_UNLINK` |
91 | 91 |
+ `COMMAND_URL_STAT` |
92 | 92 |
|
93 |
## Interceptor |
|
93 |
## Interceptors
|
|
94 | 94 |
|
95 | 95 |
The following interceptor is shipped with the package and ready to use in order |
96 | 96 |
to block any Phar invocation of files not having a `.phar` suffix. Besides that |
... | ... | |
137 | 137 |
} |
138 | 138 |
``` |
139 | 139 |
|
140 |
### ConjunctionInterceptor |
|
141 |
|
|
142 |
This interceptor combines multiple interceptors implementing `Assertable`. |
|
143 |
It succeeds when all nested interceptors succeed as well (logical `AND`). |
|
144 |
|
|
145 |
``` |
|
146 |
$behavior = new \TYPO3\PharStreamWrapper\Behavior(); |
|
147 |
\TYPO3\PharStreamWrapper\Manager::initialize( |
|
148 |
$behavior->withAssertion(new ConjunctionInterceptor(array( |
|
149 |
new PharExtensionInterceptor(), |
|
150 |
new PharMetaDataInterceptor() |
|
151 |
))) |
|
152 |
); |
|
153 |
``` |
|
154 |
|
|
155 |
### PharExtensionInterceptor |
|
156 |
|
|
157 |
This (basic) interceptor just checks whether the invoked Phar archive has |
|
158 |
an according `.phar` file extension. Resolving symbolic links as well as |
|
159 |
Phar internal alias resolving are considered as well. |
|
160 |
|
|
161 |
``` |
|
162 |
$behavior = new \TYPO3\PharStreamWrapper\Behavior(); |
|
163 |
\TYPO3\PharStreamWrapper\Manager::initialize( |
|
164 |
$behavior->withAssertion(new PharExtensionInterceptor()) |
|
165 |
); |
|
166 |
``` |
|
167 |
|
|
168 |
### PharMetaDataInterceptor |
|
169 |
|
|
170 |
This interceptor is actually checking serialized Phar meta-data against |
|
171 |
PHP objects and would consider a Phar archive malicious in case not only |
|
172 |
scalar values are found. A custom low-level `Phar\Reader` is used in order to |
|
173 |
avoid using PHP's `Phar` object which would trigger the initial vulnerability. |
|
174 |
|
|
175 |
``` |
|
176 |
$behavior = new \TYPO3\PharStreamWrapper\Behavior(); |
|
177 |
\TYPO3\PharStreamWrapper\Manager::initialize( |
|
178 |
$behavior->withAssertion(new PharMetaDataInterceptor()) |
|
179 |
); |
|
180 |
``` |
|
181 |
|
|
182 |
## Reader |
|
183 |
|
|
184 |
* `Phar\Reader::__construct(string $fileName)`: Creates low-level reader for Phar archive |
|
185 |
* `Phar\Reader::resolveContainer(): Phar\Container`: Resolves model representing Phar archive |
|
186 |
* `Phar\Container::getStub(): Phar\Stub`: Resolves (plain PHP) stub section of Phar archive |
|
187 |
* `Phar\Container::getManifest(): Phar\Manifest`: Resolves parsed Phar archive manifest as |
|
188 |
documented at http://php.net/manual/en/phar.fileformat.manifestfile.php |
|
189 |
* `Phar\Stub::getMappedAlias(): string`: Resolves internal Phar archive alias defined in stub |
|
190 |
using `Phar::mapPhar('alias.phar')` - actually the plain PHP source is analyzed here |
|
191 |
* `Phar\Manifest::getAlias(): string` - Resolves internal Phar archive alias defined in manifest |
|
192 |
using `Phar::setAlias('alias.phar')` |
|
193 |
* `Phar\Manifest::getMetaData(): string`: Resolves serialized Phar archive meta-data |
|
194 |
* `Phar\Manifest::deserializeMetaData(): mixed`: Resolves deserialized Phar archive meta-data |
|
195 |
containing only scalar values - in case an object is determined, an according |
|
196 |
`Phar\DeserializationException` will be thrown |
|
197 |
|
|
198 |
``` |
|
199 |
$reader = new Phar\Reader('example.phar'); |
|
200 |
var_dump($reader->resolveContainer()->getManifest()->deserializeMetaData()); |
|
201 |
``` |
|
202 |
|
|
140 | 203 |
## Helper |
141 | 204 |
|
142 |
* `Helper::determineBaseFile(string $path)`: Determines base file that can be |
|
205 |
* `Helper::determineBaseFile(string $path): string`: Determines base file that can be
|
|
143 | 206 |
accessed using the regular file system. For instance the following path |
144 | 207 |
`phar:///home/user/bundle.phar/content.txt` would be resolved to |
145 | 208 |
`/home/user/bundle.phar`. |
Formats disponibles : Unified diff
Udpate to 7.67