[SECURITY] Mitigate phar stream wrapper

SoftReferenceIndex throws exceptions on phar streams LegacyLinkNotationConverter throws exceptions on phar streams Resolves: #85385 Releases: master, 8.7, 7.6 Security-Commit: 4fde9d6a2333435af9033f55e9a5e2d428f6ea0d Security-Bulletin: TYPO3-CORE-SA-2018-002 Change-Id: I69333fff4d94dc7369ba729333a39e8be5dda7a3 Reviewed-on: https://review.typo3.org/57559 Reviewed-by: Oliver Hader <oliver.hader@typo3.org> Tested-by: Oliver Hader <oliver.hader@typo3.org>
TYPO3 · Jul 12, 2018 · 421ef42 · 421ef42
1 parent b3b7d45
commit 421ef42
Show file tree

Hide file tree

Showing 4 changed files with 103 additions and 0 deletions.
diff --git a/typo3/sysext/core/Classes/Database/SoftReferenceIndex.php b/typo3/sysext/core/Classes/Database/SoftReferenceIndex.php
@@ -445,6 +445,13 @@ public function getTypoLinkParts($typolinkValue)
         // we define various keys below, "url" might be misleading
         unset($finalTagParts['url']);
 
+        if (stripos(rawurldecode(trim($link_param)), 'phar://') === 0) {
+            throw new \RuntimeException(
+                'phar scheme not allowed as soft reference target',
+                1530030672
+            );
+        }
+
         // Parse URL:
         $pU = @parse_url($link_param);
 

diff --git a/typo3/sysext/core/Classes/LinkHandling/LegacyLinkNotationConverter.php b/typo3/sysext/core/Classes/LinkHandling/LegacyLinkNotationConverter.php
@@ -56,6 +56,13 @@ class LegacyLinkNotationConverter
      */
     public function resolve(string $linkParameter): array
     {
+        if (stripos(rawurldecode(trim($linkParameter)), 'phar://') === 0) {
+            throw new \RuntimeException(
+                'phar scheme not allowed as soft reference target',
+                1530030673
+            );
+        }
+
         $result = [];
         // Parse URL scheme
         $scheme = parse_url($linkParameter, PHP_URL_SCHEME);

diff --git a/typo3/sysext/core/Tests/Unit/Database/SoftReferenceIndexTest.php b/typo3/sysext/core/Tests/Unit/Database/SoftReferenceIndexTest.php
@@ -0,0 +1,57 @@
+<?php
+declare(strict_types = 1);
+namespace TYPO3\CMS\Core\Tests\Unit\Database;
+
+/*
+ * This file is part of the TYPO3 CMS project.
+ *
+ * It is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License, either version 2
+ * of the License, or any later version.
+ *
+ * For the full copyright and license information, please read the
+ * LICENSE.txt file that was distributed with this source code.
+ *
+ * The TYPO3 project - inspiring people to share!
+ */
+
+use TYPO3\CMS\Core\Database\SoftReferenceIndex;
+use TYPO3\TestingFramework\Core\Unit\UnitTestCase;
+
+/**
+ * Test case
+ */
+class SoftReferenceIndexTest extends UnitTestCase
+{
+    /**
+     * @return array
+     */
+    public function getTypoLinkPartsThrowExceptionWithPharReferencesDataProvider(): array
+    {
+        return [
+            'URL encoded local' => [
+                'phar%3a//some-file.jpg',
+            ],
+            'URL encoded absolute' => [
+                'phar%3a///path/some-file.jpg',
+            ],
+            'not URL encoded local' => [
+                'phar://some-file.jpg',
+            ],
+            'not URL encoded absolute' => [
+                'phar:///path/some-file.jpg',
+            ],
+        ];
+    }
+
+    /**
+     * @test
+     * @dataProvider getTypoLinkPartsThrowExceptionWithPharReferencesDataProvider
+     */
+    public function getTypoLinkPartsThrowExceptionWithPharReferences(string $pharUrl)
+    {
+        $this->expectException(\RuntimeException::class);
+        $this->expectExceptionCode(1530030672);
+        (new SoftReferenceIndex())->getTypoLinkParts($pharUrl);
+    }
+}
diff --git a/typo3/sysext/core/Tests/Unit/LinkHandling/LegacyLinkNotationConverterTest.php b/typo3/sysext/core/Tests/Unit/LinkHandling/LegacyLinkNotationConverterTest.php
@@ -280,4 +280,36 @@ public function splitParametersToUnifiedIdentifierForFiles($input, $parameters,
         $subject = new LinkService();
         $this->assertEquals($expected, $subject->asString($parameters));
     }
+
+    /**
+     * @return array
+     */
+    public function resolveThrowExceptionWithPharReferencesDataProvider(): array
+    {
+        return [
+            'URL encoded local' => [
+                'phar%3a//some-file.jpg',
+            ],
+            'URL encoded absolute' => [
+                'phar%3a///path/some-file.jpg',
+            ],
+            'not URL encoded local' => [
+                'phar://some-file.jpg',
+            ],
+            'not URL encoded absolute' => [
+                'phar:///path/some-file.jpg',
+            ],
+        ];
+    }
+
+    /**
+     * @test
+     * @dataProvider resolveThrowExceptionWithPharReferencesDataProvider
+     */
+    public function resolveThrowExceptionWithPharReferences(string $pharUrl)
+    {
+        $this->expectException(\RuntimeException::class);
+        $this->expectExceptionCode(1530030673);
+        (new LegacyLinkNotationConverter())->resolve($pharUrl);
+    }
 }