root / drupal7 / misc / typo3 / phar-stream-wrapper / src / Interceptor / PharMetaDataInterceptor.php @ fbb66ca6
1 |
<?php
|
---|---|
2 |
namespace TYPO3\PharStreamWrapper\Interceptor; |
3 |
|
4 |
/*
|
5 |
* This file is part of the TYPO3 project.
|
6 |
*
|
7 |
* It is free software; you can redistribute it and/or modify it under the terms
|
8 |
* of the MIT License (MIT). For the full copyright and license information,
|
9 |
* please read the LICENSE file that was distributed with this source code.
|
10 |
*
|
11 |
* The TYPO3 project - inspiring people to share!
|
12 |
*/
|
13 |
|
14 |
use TYPO3\PharStreamWrapper\Assertable; |
15 |
use TYPO3\PharStreamWrapper\Exception; |
16 |
use TYPO3\PharStreamWrapper\Manager; |
17 |
use TYPO3\PharStreamWrapper\Phar\DeserializationException; |
18 |
use TYPO3\PharStreamWrapper\Phar\Reader; |
19 |
|
20 |
/**
|
21 |
* @internal Experimental implementation of checking against serialized objects in Phar meta-data
|
22 |
* @internal This functionality has not been 100% pentested...
|
23 |
*/
|
24 |
class PharMetaDataInterceptor implements Assertable |
25 |
{ |
26 |
/**
|
27 |
* Determines whether the according Phar archive contains
|
28 |
* (potential insecure) serialized objects.
|
29 |
*
|
30 |
* @param string $path
|
31 |
* @param string $command
|
32 |
* @return bool
|
33 |
* @throws Exception
|
34 |
*/
|
35 |
public function assert($path, $command) |
36 |
{ |
37 |
if ($this->baseFileDoesNotHaveMetaDataIssues($path)) { |
38 |
return true; |
39 |
} |
40 |
throw new Exception( |
41 |
sprintf(
|
42 |
'Problematic meta-data in "%s"',
|
43 |
$path
|
44 |
), |
45 |
1539632368
|
46 |
); |
47 |
} |
48 |
|
49 |
/**
|
50 |
* @param string $path
|
51 |
* @return bool
|
52 |
*/
|
53 |
private function baseFileDoesNotHaveMetaDataIssues($path) |
54 |
{ |
55 |
$invocation = Manager::instance()->resolve($path); |
56 |
if ($invocation === null) { |
57 |
return false; |
58 |
} |
59 |
// directly return in case invocation was checked before
|
60 |
if ($invocation->getVariable(__CLASS__) === true) { |
61 |
return true; |
62 |
} |
63 |
// otherwise analyze meta-data
|
64 |
try {
|
65 |
$reader = new Reader($invocation->getBaseName()); |
66 |
$reader->resolveContainer()->getManifest()->deserializeMetaData();
|
67 |
$invocation->setVariable(__CLASS__, true); |
68 |
} catch (DeserializationException $exception) { |
69 |
return false; |
70 |
} |
71 |
return true; |
72 |
} |
73 |
} |