typo3 / phar-stream-wrapper Goto Github PK

View Code? Open in Web Editor NEW

59.0 59.0 14.0 2.21 MB

Interceptors for PHP's native phar:// stream handling in order to enhance security.

License: MIT License

PHP 100.00%

deserialization insecure-deserialization phar php security stream-wrapper

phar-stream-wrapper's Introduction

TYPO3 CMS

This document provides a basic introduction to TYPO3.

Getting Started

TYPO3 requires a web server with PHP and a database. The backend is accessed via a supported browser.

Please see the Installation Guide in order to set up a basic TYPO3 installation on your web server.

What is TYPO3?

TYPO3 is a free and open source Content Management Framework. It is released under the GNU General Public License. It can run on several web servers, such as Apache, nginx or IIS, on top of many operating systems, among them Linux, Microsoft Windows, FreeBSD or macOS.

TYPO3 was initially authored by Kasper Skårhøj and is now further developed by a community of contributors and the TYPO3 Core Development Team.

To get more info about the GPL license, visit https://opensource.org/licenses/gpl-license

What is a Content Management Framework?

A Content Management Framework is more than just a content management system, due to the separation of the streamlined core and optional plugins (extensions). TYPO3 has an open API that allows you to extend the frontend (website) and/or backend (administration) functionality.

The concept of extensions makes TYPO3 capable of being developed and used in almost any way you can imagine, either by using any of the many extensions which are available for download, or by writing your own.

TYPO3 System requirements

TYPO3 is based upon PHP and uses a database management system like MySQL.

For more specific information regarding requirements see the file INSTALL.md in this folder.

TYPO3 resources

Here is an overview of the most important TYPO3 resources to help you get started:

Get more information

https://typo3.org/ is the main project website. It provides up-to-date official news, information about events and the TYPO3 community.
https://docs.typo3.org/: TYPO3 is one of the most thoroughly documented OpenSource products around, with manuals covering basic tutorials, TypoScript, administration, development, core structure, etc. You should make the time to locate the various documents, and read those that apply to the work you want to do.
https://get.typo3.org/ is the platform where you can download TYPO3 and find all release notes and change logs of TYPO3 releases.
https://extensions.typo3.org/ is the platform where you can search for and download TYPO3 extensions.

Chat with us

The TYPO3 community is using a tool called Slack to openly communicate with each other and with the public. Several TYPO3 teams use Slack as a way to communicate internally and most channels are a welcome place for you to join and get yourself involved.

Register: https://my.typo3.org/about-mytypo3org/slack
Slack: https://typo3.slack.com/

Exchange information, ask questions, get help

Slack is nice for short discussions, but when asking questions, most answers are lost in the noise after a few minutes.

StackOverflow

To let everyone profit from an answer, we recommend to ask questions on StackOverflow. If you like, you can then post a link into the corresponding Slack channel to raise attention. And please, do not forget to tag your questions correctly with typo3 (and possibly other tags like typo3-9.5.x, Fluid or Extbase).

StackOverflow questions tagged "TYPO3"

Official meet the TYPO3 Community overview:

Visit https://typo3.org/community/meet/

Contributing

If you want to contribute to the TYPO3 source code, take a look at our Contributors Walkthrough and Review System:

Please use the TYPO3 Slack chat, if you need help in setting up your contribution environment. The community is very helpful and get you up and running! (Please post your questions in Slack Channel #typo3-cms-coredev regarding contribution support)

The repository at GitHub is a synchronized mirror of the primary TYPO3 core git repository:

https://git.typo3.org/typo3/typo3

If you want to file a bug report, take a look at:

https://forge.typo3.org

Security

If you learn about a potential security issue in the TYPO3 core or in an extension, please always contact the TYPO3 Security Team via [email protected]. Please always include the version number where you've discovered the issue. If we can confirm a problem in a third-party extension, we will inform the author immediately.

If you discover a security problem in your own extension, please inform the TYPO3 Security Team as well. They can help you to fix it, and they may want to issue an advisory once it is fixed.

For more details see TYPO3 Security Team.

Final notes

TYPO3 is said to be one of the most sophisticated PHP / Internet related applications available, and the more you play with it, the more you will agree.

Due to the advanced level of the code and functionality, a degree of study, time and perseverance is required to fully understand it, and get the best from it. You should keep trying, as we say it's definitely worth it. TYPO3 is the Enterprise Content Management System "for all".

The GPL license allows for developments that are based upon TYPO3 to also be freely available under the GPL. Please remember this, because TYPO3 is about "Inspiring People To Share". If you are making money with TYPO3 you can donate or become a member of the TYPO3 Association.

By becoming a supporting member, individuals and organisations mainly fund core development of TYPO3. The decision about what the funds are used for, is made by all members of the Association and the TYPO3 Association Board. The decisions will be made transparent to the community and especially the supporting members. Your funds will also serve for other purposes as laid out in the bylaws.

Copyleft

This document is a part of the TYPO3 project.

phar-stream-wrapper's People

Contributors

Stargazers

Watchers

Forkers

alexpott ausi rexfordkelly-on-php ktomk sjerdo longwave zagrad dazzle-libraries xknown andreaskienast ohader lolli42 shreyakalaria isabella232

phar-stream-wrapper's Issues

Check meta-data deserialization capabilities in PHP 8

Also, change the signature from getMetadata()
to getMetadata(array $unserialize_options = []).
Start throwing earlier if setMetadata() is called and serialization threw.

Scope for this package, craft a bunch of exploits for PHP 8 and see whether it works.
In case it does, this package probably could "hand over" Phar handling to native PHP 8 then...

Connect up appveyor

@ohader can you connect up appveyor and add a status badge to readme? See https://www.appveyor.com/docs/status-badges/

Does not handle fgets returning an error gracefully

If fgets returns false due to an error, this package will crash as it passes a bool to strpos:

TypeError: strpos() expects parameter 1 to be string, bool given in strpos() (line 109 of /var/www/html/jwtest-com/vendor/typo3/phar-stream-wrapper/src/Phar/Reader.php).

I'm still not certain how we got an error from fgets. We were trying to launch the phpstan.phar:

TYPO3\PharStreamWrapper\Phar\Reader->extractData('/var/www/html/jwtest-com/vendor/phpstan/phpstan/phpstan.phar') (Line: 53)

Relevant issue on Drupal.org. This gets triggered with:

    if (!class_exists('PHPStan\ExtensionInstaller\GeneratedConfig')) {

That causes the PHPStan\PharAutoloader to execute:

PHPStan\PharAutoloader::loadClass('PHPStan\ExtensionInstaller\GeneratedConfig')
spl_autoload_call('PHPStan\ExtensionInstaller\GeneratedConfig')
class_exists('PHPStan\ExtensionInstaller\GeneratedConfig') (Line: 589)

And we end up broken. I don't know how many lines it takes to get an error, but it's before feof returns true.

Interceptors fail using Phar archives using internal aliases

Based on

Description

Helper::determineBaseFile($path) is only capable of resolving files that are actually available in the system's file system. Since Phar allows to set internal alias names - in order to be used inside of Phar archives only - the real system path cannot be resolved any more.

Alias names either could be defined using

Phar::setAlias($alias) - persisted to Phar Manifest
Phar::mapPhar($alias) - only in-memory during runtime and executed in Phar's Stub section

Inside Phar archives Phar::running could be used, but this won't work "outside", e.g. in PharStreamWrapper or interceptors (http://php.net/manual/en/phar.running.php) - thus, not an option here.

Deprecate unused constant in PharInvocationResolver

Constant ASSERT_INTERNAL_INVOCATION is not used anymore since eb6607f#diff-0dd07cb25bec3476d9fc1d8a3db389b3L59

Asserting internal alias invocation just did not work out in a simple example like this

require('/path/bundle.phar');
// which internally does e.g. include('phar://bndl/vendor/autoload.php')
// given that Phar stub loads `autoload.php` using an internal alias
$object = new BundledClass();

Add possibility to retrieve low-level Phar internals

Since using new \Phar($path) on a compromised Phar archive would already trigger meta-data extraction, low-level internals like Phar meta-data as well as stub related information shall be extracted.

PHP documentation gives some pointers on Phar internals:

Phar signatures are out-of-scope for this change.

Normalize resolved Windows path to Unix-style

from https://forge.typo3.org/issues/88326

[... PharInvocation::getBaseName()] contains backslashes on windows systems.

Breaking included AWS Phar

Hi. Joomla 3.9.4 updated/included this package.
Currently I'm using aws.phar to use for S3, but since last update, I'm getting this error:

Uncaught TYPO3\PharStreamWrapper\Exception: Unexpected file extension in "phar://aws-3.67.5.phar/aws-autoloader.php"

This error is related to this package, not in Joomla or my own code. Maybe a bug?

Performance down between 0469d9f and b7a21f0

When we upgraded to Drupal 8.6.13 due to the recent security issue we also had several dependencies update, one of them being this library due to Core's version requirement being set to "^2.0.1". So instead of using 2.0.1 as bundled with Core we ended up with the pre-release 2.1.0 and the time it took to run simple Drush commands like status skyrocketed.

With v2.1.0 (b7a21f0) installed we get these numbers:

time drupal status
...
real    0m29.862s
user    0m19.492s
sys     0m10.350s

With v2.0.1 (0469d9f) we get these numers:

time drupal status
...
real    0m2.422s
user    0m1.695s
sys     0m0.705s

The diff looks fairly small, but does seem to introduce brumann/polyfill-unserialize, could that be what's making it take a lot longer?

Breaks typo3 8.7.25 on symlinked webroot

On a typo3 8.7.25 installation that has a symlinked webroot, the following errors occur:

Warning: Uncaught TYPO3\PharStreamWrapper\Exception: Executing phar:///data/sites/web/depontnl/www/typo3conf/ext/emogrifier/Resources/Private/Php/Emogrifier.phar/vendor/autoload.php is denied in /data/sites/web/depontnl/subsites/typo3_src-8.7.25/typo3/sysext/core/Classes/IO/PharStreamWrapperInterceptor.php:39 Stack trace: #0 /data/sites/web/depontnl/subsites/typo3_src-8.7.25/vendor/typo3/phar-stream-wrapper/src/Behavior.php(72): TYPO3\CMS\Core\IO\PharStreamWrapperInterceptor->assert('phar:///data/si...', 'stream_open') #1 /data/sites/web/depontnl/subsites/typo3_src-8.7.25/vendor/typo3/phar-stream-wrapper/src/Manager.php(110): TYPO3\PharStreamWrapper\Behavior->assert('phar:///data/si...', 'stream_open') #2 /data/sites/web/depontnl/subsites/typo3_src-8.7.25/vendor/typo3/phar-stream-wrapper/src/PharStreamWrapper.php(421): TYPO3\PharStreamWrapper\Manager->assert('phar:///data/si...', 'stream_open') #3 /data/sites/web/depontnl/subsites/typo3_src-8.7.25/vendor/typo3/phar-stream-wrapper/src/PharStreamWrapper.php(256): TYPO3\ in /data/sites/web/depontnl/subsites/typo3_src-8.7.25/typo3/sysext/core/Classes/IO/PharStreamWrapperInterceptor.php on line 39

Fatal error: TYPO3\CMS\Core\Utility\GeneralUtility::requireOnce(): Failed opening required 'phar:///data/sites/web/depontnl/www/typo3conf/ext/emogrifier/Resources/Private/Php/Emogrifier.phar/vendor/autoload.php' (include_path='.') in /data/sites/web/depontnl/subsites/typo3_src-8.7.25/typo3/sysext/core/Classes/Utility/GeneralUtility.php on line 4249

Reverting to 8.7.24 resolves it.
The same setup, but then a non-symlinked webroot on staging, generates no errors on 8.7.25, so it seems related to the symlink.

Alias resolving on included Phar files fails

Monitor Drupal reports

This issue is used as pointer for reports of the Drupal community concerning potential regressions:
https://www.drupal.org/project/issues/search?issue_tags=SA-CORE-2019-002%20regression

Ensure PHP 7.4 compatibility

PR #48 started to add compatibility for PHP 7.4 (snapshot), however there are a couple of tests that still fail for 7.4, see https://travis-ci.org/TYPO3/phar-stream-wrapper/builds/570805048

This might be related to current beta state - anyway it's worth taking a closer look...

Including dependencies packed with clue/phar-composer results in exception

In a non-composer TYPO3 project I follow @helhum‘s suggestions here https://insight.helhum.io/post/148112375750/how-to-use-php-libraries-in-legacy-extensions to require third party dependencies.
After an update to a TYPO3 version including phar-stream-wrapper I‘m facing this exception:

#1530103999: Method stream_select() cannot be used

thrown in the line that does actually require the autoload.php file inside the phar, equally to

@include 'phar://' . ExtensionManagementUtility::extPath('ext-key') . 'Libraries/symfony-process.phar/vendor/autoload.php';

Expected behaviour:
Register classes inside phar and load classes from there as needed.

PHP is 5.6.24 and target TYPO3 version is 6.2.40

Enhance variety of test fixtures

use compromised archives that really triggering action
generalize invocation and loading behavior
extend examples for alias Phar archives

Publish new v2.1.0 & v3.1.0 releases

expected release date: March 1st, 2019
addressing realpath and nested Phar setAlias/makePhar issues
introducing new Phar\Reader

#10 & #14
#12 & #15
#16 and/or #17 & #20
#19

Version 2.2.2 not backwards compatible because of strict_types=1

Verison 2.2.2 seems to be published with the wrong sources.

Version 2.2.1 did not have strict_types=1 and no type annotations, version 2.2.2 now includes those which breaks compatibility for 2.2.x. In some projects we still have to use Typo3 7 which exits with an fatal error after update to 2.2.2.

Please publish a release with the correct sources for 2.2.x

PHP Notice: stream_wrapper_restore(): phar:// was never changed

PHPUnit\Framework\Exception: PHP Notice:  stream_wrapper_restore(): phar:// was never changed, nothing to restore in /home/travis/build/TYPO3/phar-stream-wrapper/src/PharStreamWrapper.php on line 498
PHP Stack trace:
PHP   1. TYPO3\PharStreamWrapper\PharStreamWrapper->dir_closedir() /home/travis/build/TYPO3/phar-stream-wrapper/src/PharStreamWrapper.php:0
PHP   2. TYPO3\PharStreamWrapper\PharStreamWrapper->invokeInternalStreamWrapper() /home/travis/build/TYPO3/phar-stream-wrapper/src/PharStreamWrapper.php:51
PHP   3. TYPO3\PharStreamWrapper\PharStreamWrapper->restoreInternalSteamWrapper() /home/travis/build/TYPO3/phar-stream-wrapper/src/PharStreamWrapper.php:481
PHP   4. stream_wrapper_restore() /home/travis/build/TYPO3/phar-stream-wrapper/src/PharStreamWrapper.php:498

see https://travis-ci.org/github/TYPO3/phar-stream-wrapper/builds/741940688
affects PHP 7.3
affects PHP 7.4
(would affect PHP 8.0 as well)
it worked without problems
- Oct 23rd, 2020: https://travis-ci.org/github/TYPO3/phar-stream-wrapper/builds/738386122
- Oct 30th, 2020: https://travis-ci.org/github/TYPO3/phar-stream-wrapper/builds/740262502
failed since
- Nov 6th, 2020: https://travis-ci.com/github/ohader/phar-stream-wrapper/builds/198969352

This probably changed when fix for PHP bug 76943 was applied - and was back-ported to PHP 7.3.24 and 7.4.12.

Extend invocation test cases

Manifest / End of Stub Detection

Due to differences of how PHP Phar detects the end of the Phar stub and how this Phar parser does, it is possible to circumvent the PharMetaDataInterceptor.