Skip to content

Commit 0108f1b

Browse files
committed
fix: [security] unregister phar from stream wrappers globally for all Model code
- blanket protection against phar deserialization vulnerabilities - as reported by Dawid Czarnecki of Zigrin Security
1 parent 3dc5090 commit 0108f1b

File tree

1 file changed

+3
-0
lines changed

1 file changed

+3
-0
lines changed

Diff for: app/Model/AppModel.php

+3
Original file line numberDiff line numberDiff line change
@@ -51,6 +51,9 @@ public function __construct($id = false, $table = null, $ds = null)
5151
{
5252
parent::__construct($id, $table, $ds);
5353
$this->findMethods['column'] = true;
54+
if (in_array('phar', stream_get_wrappers())) {
55+
stream_wrapper_unregister('phar');
56+
}
5457
}
5558

5659
// deprecated, use $db_changes

0 commit comments

Comments
 (0)