Commit 166637fb authored by Andrei Ivnitskii's avatar Andrei Ivnitskii Committed by GitHub

issue #1262: Обновить ядро до версии 7.63 (#1263)

parent b078a0b0
Drupal 7.63, 2019-01-16
-----------------------
- Fixed a fatal error for some Drush users introduced by SA-CORE-2019-002.
Drupal 7.62, 2019-01-15
-----------------------
- Fixed security issues:
- SA-CORE-2019-001
- SA-CORE-2019-002
Drupal 7.61, 2018-11-07
-----------------------
- File upload validation functions and hook_file_validate() implementations are
......
......@@ -8,7 +8,7 @@
/**
* The current system version.
*/
define('VERSION', '7.61');
define('VERSION', '7.63');
/**
* Core API compatibility.
......@@ -704,6 +704,19 @@ function drupal_environment_initialize() {
// Set sane locale settings, to ensure consistent string, dates, times and
// numbers handling.
setlocale(LC_ALL, 'C');
// PHP's built-in phar:// stream wrapper is not sufficiently secure. Override
// it with a more secure one, which requires PHP 5.3.3. For lower versions,
// unregister the built-in one without replacing it. Sites needing phar
// support for lower PHP versions must implement hook_stream_wrappers() to
// register their desired implementation.
if (in_array('phar', stream_get_wrappers(), TRUE)) {
stream_wrapper_unregister('phar');
if (version_compare(PHP_VERSION, '5.3.3', '>=')) {
include_once DRUPAL_ROOT . '/includes/file.phar.inc';
file_register_phar_wrapper();
}
}
}
/**
......
......@@ -1534,7 +1534,7 @@ function file_save_upload($form_field_name, $validators = array(), $destination
// rename filename.php.foo and filename.php to filename.php.foo.txt and
// filename.php.txt, respectively). Don't rename if 'allow_insecure_uploads'
// evaluates to TRUE.
if (!variable_get('allow_insecure_uploads', 0) && preg_match('/\.(php|pl|py|cgi|asp|js)(\.|$)/i', $file->filename) && (substr($file->filename, -4) != '.txt')) {
if (!variable_get('allow_insecure_uploads', 0) && preg_match('/\.(php|phar|pl|py|cgi|asp|js)(\.|$)/i', $file->filename) && (substr($file->filename, -4) != '.txt')) {
$file->filemime = 'text/plain';
// The destination filename will also later be used to create the URI.
$file->filename .= '.txt';
......
<?php
use Drupal\Core\Security\PharExtensionInterceptor;
use TYPO3\PharStreamWrapper\Manager as PharStreamWrapperManager;
use TYPO3\PharStreamWrapper\Behavior as PharStreamWrapperBehavior;
use TYPO3\PharStreamWrapper\PharStreamWrapper;
/**
* Registers a phar stream wrapper that is more secure than PHP's built-in one.
*
* @see file_get_stream_wrappers()
*/
function file_register_phar_wrapper() {
$directory = DRUPAL_ROOT . '/misc/typo3/phar-stream-wrapper/src';
include_once $directory . '/Assertable.php';
include_once $directory . '/Behavior.php';
include_once $directory . '/Exception.php';
include_once $directory . '/Helper.php';
include_once $directory . '/Manager.php';
include_once $directory . '/PharStreamWrapper.php';
include_once DRUPAL_ROOT . '/misc/typo3/drupal-security/PharExtensionInterceptor.php';
// Set up a stream wrapper to handle insecurities due to PHP's built-in
// phar stream wrapper.
try {
$behavior = new PharStreamWrapperBehavior();
PharStreamWrapperManager::initialize(
$behavior->withAssertion(new PharExtensionInterceptor())
);
}
catch (\LogicException $e) {
// Continue if the PharStreamWrapperManager is already initialized.
// For example, this occurs following a drupal_static_reset(), such
// as during tests.
};
// To prevent file_stream_wrapper_valid_scheme() treating "phar" as a valid
// scheme, this is registered with PHP only, not with hook_stream_wrappers()
// or the internal storage of file_get_stream_wrappers().
stream_wrapper_register('phar', '\\TYPO3\\PharStreamWrapper\\PharStreamWrapper');
}
<?php
namespace Drupal\Core\Security;
use TYPO3\PharStreamWrapper\Assertable;
use TYPO3\PharStreamWrapper\Helper;
use TYPO3\PharStreamWrapper\Exception;
/**
* An alternate PharExtensionInterceptor to support phar-based CLI tools.
*
* @see \TYPO3\PharStreamWrapper\Interceptor\PharExtensionInterceptor
*/
class PharExtensionInterceptor implements Assertable {
/**
* Determines whether phar file is allowed to execute.
*
* The phar file is allowed to execute if:
* - the base file name has a ".phar" suffix.
* - it is the CLI tool that has invoked the interceptor.
*
* @param string $path
* The path of the phar file to check.
* @param string $command
* The command being carried out.
*
* @return bool
* TRUE if the phar file is allowed to execute.
*
* @throws Exception
* Thrown when the file is not allowed to execute.
*/
public function assert($path, $command) {
if ($this->baseFileContainsPharExtension($path)) {
return TRUE;
}
throw new Exception(
sprintf(
'Unexpected file extension in "%s"',
$path
),
1535198703
);
}
/**
* Determines if a path has a .phar extension or invoked execution.
*
* @param string $path
* The path of the phar file to check.
*
* @return bool
* TRUE if the file has a .phar extension or if the execution has been
* invoked by the phar file.
*/
private function baseFileContainsPharExtension($path) {
$baseFile = Helper::determineBaseFile($path);
if ($baseFile === NULL) {
return FALSE;
}
// If the stream wrapper is registered by invoking a phar file that does
// not not have .phar extension then this should be allowed. For
// example, some CLI tools recommend removing the extension.
$backtrace = debug_backtrace(DEBUG_BACKTRACE_IGNORE_ARGS);
// Find the last entry in the backtrace containing a 'file' key as
// sometimes the last caller is executed outside the scope of a file. For
// example, this occurs with shutdown functions.
do {
$caller = array_pop($backtrace);
} while (empty($caller['file']) && !empty($backtrace));
if (isset($caller['file']) && $baseFile === Helper::determineBaseFile($caller['file'])) {
return TRUE;
}
$fileExtension = pathinfo($baseFile, PATHINFO_EXTENSION);
return strtolower($fileExtension) === 'phar';
}
}
MIT License
Copyright (c) 2018 TYPO3 project - https://typo3.org/
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
[![Scrutinizer Code Quality](https://scrutinizer-ci.com/g/TYPO3/phar-stream-wrapper/badges/quality-score.png?b=v2)](https://scrutinizer-ci.com/g/TYPO3/phar-stream-wrapper/?branch=v2)
[![Travis CI Build Status](https://travis-ci.org/TYPO3/phar-stream-wrapper.svg?branch=v2)](https://travis-ci.org/TYPO3/phar-stream-wrapper)
# PHP Phar Stream Wrapper
## Abstract & History
Based on Sam Thomas' findings concerning
[insecure deserialization in combination with obfuscation strategies](https://blog.secarma.co.uk/labs/near-phar-dangerous-unserialization-wherever-you-are)
allowing to hide Phar files inside valid image resources, the TYPO3 project
decided back then to introduce a `PharStreamWrapper` to intercept invocations
of the `phar://` stream in PHP and only allow usage for defined locations in
the file system.
Since the TYPO3 mission statement is **inspiring people to share**, we thought
it would be helpful for others to release our `PharStreamWrapper` as standalone
package to the PHP community.
The mentioned security issue was reported to TYPO3 on 10th June 2018 by Sam Thomas
and has been addressed concerning the specific attack vector and for this generic
`PharStreamWrapper` in TYPO3 versions 7.6.30 LTS, 8.7.17 LTS and 9.3.1 on 12th
July 2018.
* https://typo3.org/security/advisory/typo3-core-sa-2018-002/
* https://blog.secarma.co.uk/labs/near-phar-dangerous-unserialization-wherever-you-are
* https://youtu.be/GePBmsNJw6Y
## License
In general the TYPO3 core is released under the GNU General Public License version
2 or any later version (`GPL-2.0-or-later`). In order to avoid licensing issues and
incompatibilities this `PharStreamWrapper` is licenced under the MIT License. In case
you duplicate or modify source code, credits are not required but really appreciated.
## Credits
Thanks to [Alex Pott](https://github.com/alexpott), Drupal for creating
back-ports of all sources in order to provide compatibility with PHP v5.3.
## Installation
The `PharStreamWrapper` is provided as composer package `typo3/phar-stream-wrapper`
and has minimum requirements of PHP v5.3 ([`v2`](https://github.com/TYPO3/phar-stream-wrapper/tree/v2) branch) and PHP v7.0 ([`master`](https://github.com/TYPO3/phar-stream-wrapper) branch).
### Installation for PHP v7.0
```
composer require typo3/phar-stream-wrapper ^3.0
```
### Installation for PHP v5.3
```
composer require typo3/phar-stream-wrapper ^2.0
```
## Example
The following example is bundled within this package, the shown
`PharExtensionInterceptor` denies all stream wrapper invocations files
not having the `.phar` suffix. Interceptor logic has to be individual and
adjusted to according requirements.
```
$behavior = new \TYPO3\PharStreamWrapper\Behavior();
Manager::initialize(
$behavior->withAssertion(new PharExtensionInterceptor())
);
if (in_array('phar', stream_get_wrappers())) {
stream_wrapper_unregister('phar');
stream_wrapper_register('phar', 'TYPO3\\PharStreamWrapper\\PharStreamWrapper');
}
```
* `PharStreamWrapper` defined as class reference will be instantiated each time
`phar://` streams shall be processed.
* `Manager` as singleton pattern being called by `PharStreamWrapper` instances
in order to retrieve individual behavior and settings.
* `Behavior` holds reference to interceptor(s) that shall assert correct/allowed
invocation of a given `$path` for a given `$command`. Interceptors implement
the interface `Assertable`. Interceptors can act individually on following
commands or handle all of them in case not defined specifically:
+ `COMMAND_DIR_OPENDIR`
+ `COMMAND_MKDIR`
+ `COMMAND_RENAME`
+ `COMMAND_RMDIR`
+ `COMMAND_STEAM_METADATA`
+ `COMMAND_STREAM_OPEN`
+ `COMMAND_UNLINK`
+ `COMMAND_URL_STAT`
## Interceptor
The following interceptor is shipped with the package and ready to use in order
to block any Phar invocation of files not having a `.phar` suffix. Besides that
individual interceptors are possible of course.
```
class PharExtensionInterceptor implements Assertable
{
/**
* Determines whether the base file name has a ".phar" suffix.
*
* @param string $path
* @param string $command
* @return bool
* @throws Exception
*/
public function assert($path, $command)
{
if ($this->baseFileContainsPharExtension($path)) {
return true;
}
throw new Exception(
sprintf(
'Unexpected file extension in "%s"',
$path
),
1535198703
);
}
/**
* @param string $path
* @return bool
*/
private function baseFileContainsPharExtension($path)
{
$baseFile = Helper::determineBaseFile($path);
if ($baseFile === null) {
return false;
}
$fileExtension = pathinfo($baseFile, PATHINFO_EXTENSION);
return strtolower($fileExtension) === 'phar';
}
}
```
## Helper
* `Helper::determineBaseFile(string $path)`: Determines base file that can be
accessed using the regular file system. For instance the following path
`phar:///home/user/bundle.phar/content.txt` would be resolved to
`/home/user/bundle.phar`.
* `Helper::resetOpCache()`: Resets PHP's OPcache if enabled as work-around for
issues in `include()` or `require()` calls and OPcache delivering wrong
results. More details can be found in PHP's bug tracker, for instance like
https://bugs.php.net/bug.php?id=66569
## Security Contact
In case of finding additional security issues in the TYPO3 project or in this
`PharStreamWrapper` package in particular, please get in touch with the
[TYPO3 Security Team](mailto:security@typo3.org).
{
"name": "typo3/phar-stream-wrapper",
"description": "Interceptors for PHP's native phar:// stream handling",
"type": "library",
"license": "MIT",
"homepage": "https://typo3.org/",
"keywords": ["php", "phar", "stream-wrapper", "security"],
"require": {
"php": "^5.3.3|^7.0"
},
"require-dev": {
"phpunit/phpunit": "^4.8.36"
},
"autoload": {
"psr-4": {
"TYPO3\\PharStreamWrapper\\": "src/"
}
},
"autoload-dev": {
"psr-4": {
"TYPO3\\PharStreamWrapper\\Tests\\": "tests/"
}
}
}
<?php
namespace TYPO3\PharStreamWrapper;
/*
* This file is part of the TYPO3 project.
*
* It is free software; you can redistribute it and/or modify it under the terms
* of the MIT License (MIT). For the full copyright and license information,
* please read the LICENSE file that was distributed with this source code.
*
* The TYPO3 project - inspiring people to share!
*/
interface Assertable
{
/**
* @param string $path
* @param string $command
* @return bool
*/
public function assert($path, $command);
}
<?php
namespace TYPO3\PharStreamWrapper;
/*
* This file is part of the TYPO3 project.
*
* It is free software; you can redistribute it and/or modify it under the terms
* of the MIT License (MIT). For the full copyright and license information,
* please read the LICENSE file that was distributed with this source code.
*
* The TYPO3 project - inspiring people to share!
*/
class Behavior implements Assertable
{
const COMMAND_DIR_OPENDIR = 'dir_opendir';
const COMMAND_MKDIR = 'mkdir';
const COMMAND_RENAME = 'rename';
const COMMAND_RMDIR = 'rmdir';
const COMMAND_STEAM_METADATA = 'stream_metadata';
const COMMAND_STREAM_OPEN = 'stream_open';
const COMMAND_UNLINK = 'unlink';
const COMMAND_URL_STAT = 'url_stat';
/**
* @var string[]
*/
private $availableCommands = array(
self::COMMAND_DIR_OPENDIR,
self::COMMAND_MKDIR,
self::COMMAND_RENAME,
self::COMMAND_RMDIR,
self::COMMAND_STEAM_METADATA,
self::COMMAND_STREAM_OPEN,
self::COMMAND_UNLINK,
self::COMMAND_URL_STAT,
);
/**
* @var Assertable[]
*/
private $assertions;
/**
* @param Assertable $assertable
* @return static
*/
public function withAssertion(Assertable $assertable)
{
$commands = func_get_args();
array_shift($commands);
$this->assertCommands($commands);
$commands = $commands ?: $this->availableCommands;
$target = clone $this;
foreach ($commands as $command) {
$target->assertions[$command] = $assertable;
}
return $target;
}
/**
* @param string $path
* @param string $command
* @return bool
*/
public function assert($path, $command)
{
$this->assertCommand($command);
$this->assertAssertionCompleteness();
return $this->assertions[$command]->assert($path, $command);
}
/**
* @param array $commands
*/
private function assertCommands(array $commands)
{
$unknownCommands = array_diff($commands, $this->availableCommands);
if (empty($unknownCommands)) {
return;
}
throw new \LogicException(
sprintf(
'Unknown commands: %s',
implode(', ', $unknownCommands)
),
1535189881
);
}
private function assertCommand($command)
{
if (in_array($command, $this->availableCommands, true)) {
return;
}
throw new \LogicException(
sprintf(
'Unknown command "%s"',
$command
),
1535189882
);
}
private function assertAssertionCompleteness()
{
$undefinedAssertions = array_diff(
$this->availableCommands,
array_keys($this->assertions)
);
if (empty($undefinedAssertions)) {
return;
}
throw new \LogicException(
sprintf(
'Missing assertions for commands: %s',
implode(', ', $undefinedAssertions)
),
1535189883
);
}
}
<?php
namespace TYPO3\PharStreamWrapper;
/*
* This file is part of the TYPO3 project.
*
* It is free software; you can redistribute it and/or modify it under the terms
* of the MIT License (MIT). For the full copyright and license information,
* please read the LICENSE file that was distributed with this source code.
*
* The TYPO3 project - inspiring people to share!
*/
class Exception extends \RuntimeException
{
}
<?php
namespace TYPO3\PharStreamWrapper;
/*
* This file is part of the TYPO3 project.
*
* It is free software; you can redistribute it and/or modify it under the terms
* of the MIT License (MIT). For the full copyright and license information,
* please read the LICENSE file that was distributed with this source code.
*
* The TYPO3 project - inspiring people to share!
*/
class Helper
{
/*
* Resets PHP's OPcache if enabled as work-around for issues in `include()`
* or `require()` calls and OPcache delivering wrong results.
*
* @see https://bugs.php.net/bug.php?id=66569
*/
public static function resetOpCache()
{
if (function_exists('opcache_reset')
&& function_exists('opcache_get_status')
) {
$status = opcache_get_status();
if (!empty($status['opcache_enabled'])) {
opcache_reset();
}
}
}
/**
* Determines base file that can be accessed using the regular file system.
* For e.g. "phar:///home/user/bundle.phar/content.txt" that would result
* into "/home/user/bundle.phar".
*
* @param string $path
* @return string|null
*/
public static function determineBaseFile($path)
{
$parts = explode('/', static::normalizePath($path));
while (count($parts)) {
$currentPath = implode('/', $parts);
if (@is_file($currentPath)) {
return $currentPath;
}
array_pop($parts);
}
return null;
}
/**
* @param string $path
* @return string
*/
public static function removePharPrefix($path)
{
$path = trim($path);
if (stripos($path, 'phar://') !== 0) {
return $path;
}
return substr($path, 7);
}
/**
* Normalizes a path, removes phar:// prefix, fixes Windows directory
* separators. Result is without trailing slash.
*
* @param string $path
* @return string
*/
public static function normalizePath($path)
{
return rtrim(
static::getCanonicalPath(
static::removePharPrefix($path)
),
'/'
);
}
/**
* Fixes a path for windows-backslashes and reduces double-slashes to single slashes
*
* @param string $path File path to process
* @return string
*/
private static function normalizeWindowsPath($path)
{
return str_replace('\\', '/', $path);
}
/**
* Resolves all dots, slashes and removes spaces after or before a path...
*
* @param string $path Input string
* @return string Canonical path, always without trailing slash
*/
private static function getCanonicalPath($path)
{
$path = static::normalizeWindowsPath($path);
$absolutePathPrefix = '';
if (static::isAbsolutePath($path)) {
if (static::isWindows() && strpos($path, ':/') === 1) {
$absolutePathPrefix = substr($path, 0, 3);
$path = substr($path, 3);
} else {
$path = ltrim($path, '/');
$absolutePathPrefix = '/';
}
}
$pathParts = explode('/', $path);
$pathPartsLength = count($pathParts);