file.phar.inc 1.6 KB

1234567891011121314151617181920212223242526272829303132333435363738394041
  1. <?php
  2. use Drupal\Core\Security\PharExtensionInterceptor;
  3. use TYPO3\PharStreamWrapper\Manager as PharStreamWrapperManager;
  4. use TYPO3\PharStreamWrapper\Behavior as PharStreamWrapperBehavior;
  5. use TYPO3\PharStreamWrapper\PharStreamWrapper;
  6. /**
  7. * Registers a phar stream wrapper that is more secure than PHP's built-in one.
  8. *
  9. * @see file_get_stream_wrappers()
  10. */
  11. function file_register_phar_wrapper() {
  12. $directory = DRUPAL_ROOT . '/misc/typo3/phar-stream-wrapper/src';
  13. include_once $directory . '/Assertable.php';
  14. include_once $directory . '/Behavior.php';
  15. include_once $directory . '/Exception.php';
  16. include_once $directory . '/Helper.php';
  17. include_once $directory . '/Manager.php';
  18. include_once $directory . '/PharStreamWrapper.php';
  19. include_once DRUPAL_ROOT . '/misc/typo3/drupal-security/PharExtensionInterceptor.php';
  20. // Set up a stream wrapper to handle insecurities due to PHP's built-in
  21. // phar stream wrapper.
  22. try {
  23. $behavior = new PharStreamWrapperBehavior();
  24. PharStreamWrapperManager::initialize(
  25. $behavior->withAssertion(new PharExtensionInterceptor())
  26. );
  27. }
  28. catch (\LogicException $e) {
  29. // Continue if the PharStreamWrapperManager is already initialized.
  30. // For example, this occurs following a drupal_static_reset(), such
  31. // as during tests.
  32. };
  33. // To prevent file_stream_wrapper_valid_scheme() treating "phar" as a valid
  34. // scheme, this is registered with PHP only, not with hook_stream_wrappers()
  35. // or the internal storage of file_get_stream_wrappers().
  36. stream_wrapper_register('phar', '\\TYPO3\\PharStreamWrapper\\PharStreamWrapper');
  37. }