diff --git a/composer.lock b/composer.lock index a563f65a18d1209e0b2b5f847756ad4c04ccc868..fe02a95636dc12c68b656a59813eb1e2c55cbb03 100644 --- a/composer.lock +++ b/composer.lock @@ -2538,6 +2538,46 @@ ], "time": "2018-07-13T07:12:17+00:00" }, + { + "name": "typo3/phar-stream-wrapper", + "version": "v2.0.1", + "source": { + "type": "git", + "url": "https://github.com/TYPO3/phar-stream-wrapper.git", + "reference": "0469d9fefa0146ea4299d3b11cfbb76faa7045bf" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/TYPO3/phar-stream-wrapper/zipball/0469d9fefa0146ea4299d3b11cfbb76faa7045bf", + "reference": "0469d9fefa0146ea4299d3b11cfbb76faa7045bf", + "shasum": "" + }, + "require": { + "php": "^5.3.3|^7.0" + }, + "require-dev": { + "phpunit/phpunit": "^4.8.36" + }, + "type": "library", + "autoload": { + "psr-4": { + "TYPO3\\PharStreamWrapper\\": "src/" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "description": "Interceptors for PHP's native phar:// stream handling", + "homepage": "https://typo3.org/", + "keywords": [ + "phar", + "php", + "security", + "stream-wrapper" + ], + "time": "2018-10-18T08:46:28+00:00" + }, { "name": "wikimedia/composer-merge-plugin", "version": "v1.4.1", diff --git a/core/composer.json b/core/composer.json index 37120ae8ceecf4ebb912c65bbf5c1b2af662c21b..34fed39b1ae5d60bc43e5c7eee9274f9c516b1d5 100644 --- a/core/composer.json +++ b/core/composer.json @@ -31,6 +31,7 @@ "symfony/process": "~3.4.0", "symfony/polyfill-iconv": "^1.0", "symfony/yaml": "~3.4.5", + "typo3/phar-stream-wrapper": "^2.0.1", "twig/twig": "^1.35.0", "doctrine/common": "^2.5", "doctrine/annotations": "^1.2", diff --git a/core/lib/Drupal/Core/DrupalKernel.php b/core/lib/Drupal/Core/DrupalKernel.php index a099327c99ad5654f854ffc6e996dc2bf4bd83a0..3b14d4d447d431ed1fb759444a3aebba44bc60e7 100644 --- a/core/lib/Drupal/Core/DrupalKernel.php +++ b/core/lib/Drupal/Core/DrupalKernel.php @@ -19,6 +19,7 @@ use Drupal\Core\Http\TrustedHostsRequestFactory; use Drupal\Core\Installer\InstallerRedirectTrait; use Drupal\Core\Language\Language; +use Drupal\Core\Security\PharExtensionInterceptor; use Drupal\Core\Security\RequestSanitizer; use Drupal\Core\Site\Settings; use Drupal\Core\Test\TestDatabase; @@ -35,6 +36,9 @@ use Symfony\Component\HttpKernel\Exception\HttpExceptionInterface; use Symfony\Component\HttpKernel\TerminableInterface; use Symfony\Component\Routing\Route; +use TYPO3\PharStreamWrapper\Manager as PharStreamWrapperManager; +use TYPO3\PharStreamWrapper\Behavior as PharStreamWrapperBehavior; +use TYPO3\PharStreamWrapper\PharStreamWrapper; /** * The DrupalKernel class is the core of Drupal itself. @@ -471,6 +475,26 @@ public function boot() { // Initialize the container. $this->initializeContainer(); + if (in_array('phar', stream_get_wrappers(), TRUE)) { + // Set up a stream wrapper to handle insecurities due to PHP's builtin + // phar stream wrapper. This is not registered as a regular stream wrapper + // to prevent \Drupal\Core\File\FileSystem::validScheme() treating "phar" + // as a valid scheme. + try { + $behavior = new PharStreamWrapperBehavior(); + PharStreamWrapperManager::initialize( + $behavior->withAssertion(new PharExtensionInterceptor()) + ); + } + catch (\LogicException $e) { + // Continue if the PharStreamWrapperManager is already initialized. For + // example, this occurs during a module install. + // @see \Drupal\Core\Extension\ModuleInstaller::install() + }; + stream_wrapper_unregister('phar'); + stream_wrapper_register('phar', PharStreamWrapper::class); + } + $this->booted = TRUE; return $this; diff --git a/core/lib/Drupal/Core/Security/PharExtensionInterceptor.php b/core/lib/Drupal/Core/Security/PharExtensionInterceptor.php new file mode 100644 index 0000000000000000000000000000000000000000..a77e9f84c267cfa2b180db38792b989a80580a23 --- /dev/null +++ b/core/lib/Drupal/Core/Security/PharExtensionInterceptor.php @@ -0,0 +1,73 @@ +baseFileContainsPharExtension($path)) { + return TRUE; + } + throw new Exception( + sprintf( + 'Unexpected file extension in "%s"', + $path + ), + 1535198703 + ); + } + + /** + * @param string $path + * The path of the phar file to check. + * + * @return bool + * TRUE if the file has a .phar extension or if the execution has been + * invoked by the phar file. + */ + private function baseFileContainsPharExtension($path) { + $baseFile = Helper::determineBaseFile($path); + if ($baseFile === NULL) { + return FALSE; + } + // If the stream wrapper is registered by invoking a phar file that does + // not not have .phar extension then this should be allowed. For + // example, some CLI tools recommend removing the extension. + $backtrace = debug_backtrace(DEBUG_BACKTRACE_IGNORE_ARGS); + $caller = array_pop($backtrace); + if (isset($caller['file']) && $baseFile === $caller['file']) { + return TRUE; + } + $fileExtension = pathinfo($baseFile, PATHINFO_EXTENSION); + return strtolower($fileExtension) === 'phar'; + } + +} diff --git a/core/modules/file/file.module b/core/modules/file/file.module index a6f68094a96025cf423aeb018d577e1223e1ee54..0eb9a64ec7aad0c633fe21009f8dd449340ccbdd 100644 --- a/core/modules/file/file.module +++ b/core/modules/file/file.module @@ -23,7 +23,7 @@ /** * The regex pattern used when checking for insecure file types. */ -define('FILE_INSECURE_EXTENSION_REGEX', '/\.(php|pl|py|cgi|asp|js)(\.|$)/i'); +define('FILE_INSECURE_EXTENSION_REGEX', '/\.(phar|php|pl|py|cgi|asp|js)(\.|$)/i'); // Load all Field module hooks for File. require_once __DIR__ . '/file.field.inc'; diff --git a/core/modules/simpletest/files/phar-1.phar b/core/modules/simpletest/files/phar-1.phar new file mode 100644 index 0000000000000000000000000000000000000000..8d25e6d4403979bf0fb37b7d10ff721bc804130d --- /dev/null +++ b/core/modules/simpletest/files/phar-1.phar @@ -0,0 +1,301 @@ + 2, +'c' => 'text/plain', +'cc' => 'text/plain', +'cpp' => 'text/plain', +'c++' => 'text/plain', +'dtd' => 'text/plain', +'h' => 'text/plain', +'log' => 'text/plain', +'rng' => 'text/plain', +'txt' => 'text/plain', +'xsd' => 'text/plain', +'php' => 1, +'inc' => 1, +'avi' => 'video/avi', +'bmp' => 'image/bmp', +'css' => 'text/css', +'gif' => 'image/gif', +'htm' => 'text/html', +'html' => 'text/html', +'htmls' => 'text/html', +'ico' => 'image/x-ico', +'jpe' => 'image/jpeg', +'jpg' => 'image/jpeg', +'jpeg' => 'image/jpeg', +'js' => 'application/x-javascript', +'midi' => 'audio/midi', +'mid' => 'audio/midi', +'mod' => 'audio/mod', +'mov' => 'movie/quicktime', +'mp3' => 'audio/mp3', +'mpg' => 'video/mpeg', +'mpeg' => 'video/mpeg', +'pdf' => 'application/pdf', +'png' => 'image/png', +'swf' => 'application/shockwave-flash', +'tif' => 'image/tiff', +'tiff' => 'image/tiff', +'wav' => 'audio/wav', +'xbm' => 'image/xbm', +'xml' => 'text/xml', +); + +header("Cache-Control: no-cache, must-revalidate"); +header("Pragma: no-cache"); + +$basename = basename(__FILE__); +if (!strpos($_SERVER['REQUEST_URI'], $basename)) { +chdir(Extract_Phar::$temp); +include $web; +return; +} +$pt = substr($_SERVER['REQUEST_URI'], strpos($_SERVER['REQUEST_URI'], $basename) + strlen($basename)); +if (!$pt || $pt == '/') { +$pt = $web; +header('HTTP/1.1 301 Moved Permanently'); +header('Location: ' . $_SERVER['REQUEST_URI'] . '/' . $pt); +exit; +} +$a = realpath(Extract_Phar::$temp . DIRECTORY_SEPARATOR . $pt); +if (!$a || strlen(dirname($a)) < strlen(Extract_Phar::$temp)) { +header('HTTP/1.0 404 Not Found'); +echo "\n
\n