root / drupal7 / misc / typo3 / phar-stream-wrapper / src / Interceptor / PharMetaDataInterceptor.php @ fbb66ca6
| 1 |
<?php
|
|---|---|
| 2 |
namespace TYPO3\PharStreamWrapper\Interceptor; |
| 3 |
|
| 4 |
/*
|
| 5 |
* This file is part of the TYPO3 project.
|
| 6 |
*
|
| 7 |
* It is free software; you can redistribute it and/or modify it under the terms
|
| 8 |
* of the MIT License (MIT). For the full copyright and license information,
|
| 9 |
* please read the LICENSE file that was distributed with this source code.
|
| 10 |
*
|
| 11 |
* The TYPO3 project - inspiring people to share!
|
| 12 |
*/
|
| 13 |
|
| 14 |
use TYPO3\PharStreamWrapper\Assertable; |
| 15 |
use TYPO3\PharStreamWrapper\Exception; |
| 16 |
use TYPO3\PharStreamWrapper\Manager; |
| 17 |
use TYPO3\PharStreamWrapper\Phar\DeserializationException; |
| 18 |
use TYPO3\PharStreamWrapper\Phar\Reader; |
| 19 |
|
| 20 |
/**
|
| 21 |
* @internal Experimental implementation of checking against serialized objects in Phar meta-data
|
| 22 |
* @internal This functionality has not been 100% pentested...
|
| 23 |
*/
|
| 24 |
class PharMetaDataInterceptor implements Assertable |
| 25 |
{
|
| 26 |
/**
|
| 27 |
* Determines whether the according Phar archive contains
|
| 28 |
* (potential insecure) serialized objects.
|
| 29 |
*
|
| 30 |
* @param string $path
|
| 31 |
* @param string $command
|
| 32 |
* @return bool
|
| 33 |
* @throws Exception
|
| 34 |
*/
|
| 35 |
public function assert($path, $command) |
| 36 |
{
|
| 37 |
if ($this->baseFileDoesNotHaveMetaDataIssues($path)) { |
| 38 |
return true; |
| 39 |
} |
| 40 |
throw new Exception( |
| 41 |
sprintf(
|
| 42 |
'Problematic meta-data in "%s"',
|
| 43 |
$path
|
| 44 |
), |
| 45 |
1539632368
|
| 46 |
); |
| 47 |
} |
| 48 |
|
| 49 |
/**
|
| 50 |
* @param string $path
|
| 51 |
* @return bool
|
| 52 |
*/
|
| 53 |
private function baseFileDoesNotHaveMetaDataIssues($path) |
| 54 |
{
|
| 55 |
$invocation = Manager::instance()->resolve($path); |
| 56 |
if ($invocation === null) { |
| 57 |
return false; |
| 58 |
} |
| 59 |
// directly return in case invocation was checked before
|
| 60 |
if ($invocation->getVariable(__CLASS__) === true) { |
| 61 |
return true; |
| 62 |
} |
| 63 |
// otherwise analyze meta-data
|
| 64 |
try {
|
| 65 |
$reader = new Reader($invocation->getBaseName()); |
| 66 |
$reader->resolveContainer()->getManifest()->deserializeMetaData();
|
| 67 |
$invocation->setVariable(__CLASS__, true); |
| 68 |
} catch (DeserializationException $exception) { |
| 69 |
return false; |
| 70 |
} |
| 71 |
return true; |
| 72 |
} |
| 73 |
} |