Disable the phar stream wrapper

[ausi]

As of the newly discovered unserialization attack via the phar:// stream wrapper (Black Hat talk), we should disable the phar stream wrapper for the whole application.

It should be noted that this is only a preventive measure and shouldn’t be considered a “fix” for this kind of attacks. We must never pass user controlled values directly to any file operation functions without validating them.

If anybody needs the stream wrapper for a specific use case in their project or extension, I think the following code snippet should be safe to use:

if ($pharDisabled = !\in_array('phar', stream_get_wrappers(), true)) {
	stream_wrapper_restore('phar');
}
try {
	// Your code using phar://...
}
finally {
	if ($pharDisabled) {
		stream_wrapper_unregister('phar');
	}
}

[leofeyer]

What about adding this in src/Resouces/contao/functions as we do to initialize the Patchwork UTF8 library? The file is then loaded via Composer.

[ausi]

Then it would be disabled in any application that requires contao/core-bundle. Do we want that?

I think this is probably not something a bundle should do.

[aschempp]

Didn't we agree to have an environment flag to disable this in the entry point?

[ausi]

As anyone can reenable the stream wrapper with stream_wrapper_restore('phar') we concluded that the environment flag is not necessary AFAIR.

[leofeyer]

Then it would be disabled in any application that requires contao/core-bundle. Do we want that?

Probably yes, but we could also add it in the manager bundle instead.

[ausi]

This code is not related to autoloading, so it should not go into the composer.json autoload config IMO.

Any opinions from the other @contao/developers ?
Should this code go into the app.php or into src/Resouces/contao/functions and be loaded via Composer?

[Toflar]

app.php.

[leofeyer]

Thank you @ausi.