-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support CLI tools that use phars without a .phar extension #7
Conversation
…ar extension so some CLI tools work.
For example of such a CLI tool - see https://getcomposer.org/doc/00-intro.md#globally |
Here's the code for cli_phar as it is a binary diff and therefore is not so easy to work with.
|
Thanks for your pull-request. I'm going to look into that in more details during the next days... |
In addition I've created an experimental Phar meta-data analyzer a couple of weeks ago in branch feature/phar-reader, see https://github.com/TYPO3/phar-stream-wrapper/blob/feature/phar-reader/src/Interceptor/PharMetaDataInterceptor.php
This way if could be detected, whether the file itself is malicious in terms of insecure deserialization - instead of just checking the file extension. Any feedback or tests are welcome of course... |
Note: This PR will need updated - per https://www.drupal.org/project/drupal/issues/3026386, not all backtraces have a "file" key, and some "file" entries include the |
Drupal discovered another issue now we've put this out in a security release - see https://www.drupal.org/project/drupal/issues/3026443 Basically Phar aliases break \TYPO3\PharStreamWrapper\Helper::determineBaseFile() because there's no way that can resolve the Phar alias that only exists inside the phar file. |
Thanks for your feedback. I tried to read through the comments in the issue you mentioned, but failed to understand the according context. Are those failure related to CLI invocation only? Or does it happen when being called in a web context (using different PHP_SAPI)? If you could point me to source code or 3rd party packages and how they are using Phar aliases, I could create according test cases. |
@alexpott I just read your last comment https://www.drupal.org/project/drupal/issues/3026443#comment-12930646
I assume that should be used in order to determine the alias (I still have to dig into the problem in real source code)... However, having |
@ohader re |
@ohader the drupal issue has all the test code, necessary test phars and also the code to build them :) |
src/PharStreamWrapper.php
Outdated
if ($this->resolveAssertable()->assert($path, $command) === true) { | ||
if ($basePath && !isset($this->aliases[$path])) { | ||
$this->restoreInternalSteamWrapper(); | ||
$this->aliases[$path] = (new \Phar(realpath($basePath)))->getAlias(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
$path should be $basePath here unless I miss something.
So there are some issues with this PR.
|
|
@ohader I agree, I also searched the PHP code base for how mapPhar and setAlias work and the best I could determine was that if you use The better way for box and co would be to call In theory we could create a patcher tool to allow people to patch their phar files without aliases to have the same as internally used via mapPhar(). Edit: I tested it, a tool to set an alias afterwards is as simple as with phar.readonly=0:
Important fact, if alias is not set, then it seems to fallback to the whole file name. |
Alright, I'd like to proceed as following
|
Addressed in PR #12 |
Some CLI tools are shipped as phar files and the install instructions tell users to rename the cli_command.phar to cli_command.
In this instance the interceptor can produce false positives because it is handling a phar file without a phar extension. But the very first caller is a phar file so I think it is safe to assume this is intentional.