Home Explore Help
Sign In
bachir
/
Clameurs
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: ec21d1e45f
Branches Tags
Clameurs
/
misc
/
typo3
/
drupal-security
/
PharExtensionInterceptor.php

PharExtensionInterceptor.php 2.4 KB
History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879 
  1. <?php
    2. 

  2. 

  3. namespace Drupal\Core\Security;
    4. 

  4. 

  5. use TYPO3\PharStreamWrapper\Assertable;
    6. 

  6. use TYPO3\PharStreamWrapper\Helper;
    7. 

  7. use TYPO3\PharStreamWrapper\Exception;
    8. 

  8. 

  9. /**
    10. 

  10.  * An alternate PharExtensionInterceptor to support phar-based CLI tools.
    11. 

  11.  *
    12. 

  12.  * @see \TYPO3\PharStreamWrapper\Interceptor\PharExtensionInterceptor
    13. 

  13.  */
    14. 

  14. class PharExtensionInterceptor implements Assertable {
    15. 

  15. 

  16.   /**
    17. 

  17.    * Determines whether phar file is allowed to execute.
    18. 

  18.    *
    19. 

  19.    * The phar file is allowed to execute if:
    20. 

  20.    * - the base file name has a ".phar" suffix.
    21. 

  21.    * - it is the CLI tool that has invoked the interceptor.
    22. 

  22.    *
    23. 

  23.    * @param string $path
    24. 

  24.    *   The path of the phar file to check.
    25. 

  25.    * @param string $command
    26. 

  26.    *   The command being carried out.
    27. 

  27.    *
    28. 

  28.    * @return bool
    29. 

  29.    *   TRUE if the phar file is allowed to execute.
    30. 

  30.    *
    31. 

  31.    * @throws Exception
    32. 

  32.    *   Thrown when the file is not allowed to execute.
    33. 

  33.    */
    34. 

  34.   public function assert($path, $command) {
    35. 

  35.     if ($this->baseFileContainsPharExtension($path)) {
    36. 

  36.       return TRUE;
    37. 

  37.     }
    38. 

  38.     throw new Exception(
    39. 

  39.       sprintf(
    40. 

  40.         'Unexpected file extension in "%s"',
    41. 

  41.         $path
    42. 

  42.       ),
    43. 

  43.       1535198703
    44. 

  44.     );
    45. 

  45.   }
    46. 

  46. 

  47.   /**
    48. 

  48.    * Determines if a path has a .phar extension or invoked execution.
    49. 

  49.    *
    50. 

  50.    * @param string $path
    51. 

  51.    *   The path of the phar file to check.
    52. 

  52.    *
    53. 

  53.    * @return bool
    54. 

  54.    *   TRUE if the file has a .phar extension or if the execution has been
    55. 

  55.    *   invoked by the phar file.
    56. 

  56.    */
    57. 

  57.   private function baseFileContainsPharExtension($path) {
    58. 

  58.     $baseFile = Helper::determineBaseFile($path);
    59. 

  59.     if ($baseFile === NULL) {
    60. 

  60.       return FALSE;
    61. 

  61.     }
    62. 

  62.     // If the stream wrapper is registered by invoking a phar file that does
    63. 

  63.     // not not have .phar extension then this should be allowed. For
    64. 

  64.     // example, some CLI tools recommend removing the extension.
    65. 

  65.     $backtrace = debug_backtrace(DEBUG_BACKTRACE_IGNORE_ARGS);
    66. 

  66.     // Find the last entry in the backtrace containing a 'file' key as
    67. 

  67.     // sometimes the last caller is executed outside the scope of a file. For
    68. 

  68.     // example, this occurs with shutdown functions.
    69. 

  69.     do {
    70. 

  70.       $caller = array_pop($backtrace);
    71. 

  71.     } while (empty($caller['file']) && !empty($backtrace));
    72. 

  72.     if (isset($caller['file']) && $baseFile === Helper::determineBaseFile($caller['file'])) {
    73. 

  73.       return TRUE;
    74. 

  74.     }
    75. 

  75.     $fileExtension = pathinfo($baseFile, PATHINFO_EXTENSION);
    76. 

  76.     return strtolower($fileExtension) === 'phar';
    77. 

  77.   }
    78. 

  78. 

  79. }
    80.