New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Disable the phar stream wrapper #105
Conversation
963fa44
to
723a868
Compare
What about adding this in |
Then it would be disabled in any application that requires I think this is probably not something a bundle should do. |
Didn't we agree to have an environment flag to disable this in the entry point? |
As anyone can reenable the stream wrapper with |
Probably yes, but we could also add it in the manager bundle instead. |
This code is not related to autoloading, so it should not go into the composer.json autoload config IMO. Any opinions from the other @contao/developers ? |
|
Thank you @ausi. |
As of the newly discovered unserialization attack via the
phar://
stream wrapper (Black Hat talk), we should disable the phar stream wrapper for the whole application.It should be noted that this is only a preventive measure and shouldn’t be considered a “fix” for this kind of attacks. We must never pass user controlled values directly to any file operation functions without validating them.
If anybody needs the stream wrapper for a specific use case in their project or extension, I think the following code snippet should be safe to use: