Skip to content
Permalink
Browse files Browse the repository at this point in the history
fix: [security] unregister phar from stream wrappers globally for all…
… Model code

- blanket protection against phar deserialization vulnerabilities

- as reported by Dawid Czarnecki of Zigrin Security
  • Loading branch information
iglocska committed Apr 17, 2022
1 parent 3dc5090 commit 0108f1b
Showing 1 changed file with 3 additions and 0 deletions.
3 changes: 3 additions & 0 deletions app/Model/AppModel.php
Expand Up @@ -51,6 +51,9 @@ public function __construct($id = false, $table = null, $ds = null)
{
parent::__construct($id, $table, $ds);
$this->findMethods['column'] = true;
if (in_array('phar', stream_get_wrappers())) {
stream_wrapper_unregister('phar');
}
}

// deprecated, use $db_changes
Expand Down

0 comments on commit 0108f1b

Please sign in to comment.