Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Apply the changes from D6LTS SA-CORE-2019-002. #126

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions includes/bootstrap.inc
Original file line number Diff line number Diff line change
Expand Up @@ -1479,6 +1479,18 @@ function _drupal_bootstrap($phase) {

case DRUPAL_BOOTSTRAP_CONFIGURATION:
drupal_unset_globals();
// PHP's built-in phar:// stream wrapper is not sufficiently secure. Override
// it with a more secure one, which requires PHP 5.3.3. For lower versions,
// unregister the built-in one without replacing it. Sites needing phar
// support for lower PHP versions must implement hook_stream_wrappers() to
// register their desired implementation.
if (in_array('phar', stream_get_wrappers(), TRUE)) {
stream_wrapper_unregister('phar');
if (version_compare(PHP_VERSION, '5.3.3', '>=')) {
include_once './includes/file.phar.inc';
file_register_phar_wrapper();
}
}
// Start a page timer:
timer_start('page');
// Initialize the configuration
Expand Down
2 changes: 1 addition & 1 deletion includes/file.inc
Original file line number Diff line number Diff line change
Expand Up @@ -701,7 +701,7 @@ function file_save_upload($source, $validators = array(), $dest = FALSE, $replac
}

// Rename potentially executable files, to help prevent exploits.
if (preg_match('/\.(php|pl|py|cgi|asp|js)$/i', $file->filename) && (substr($file->filename, -4) != '.txt')) {
if (preg_match('/\.(php|phar|pl|py|cgi|asp|js)$/i', $file->filename) && (substr($file->filename, -4) != '.txt')) {
$file->filemime = 'text/plain';
$file->filepath .= '.txt';
$file->filename .= '.txt';
Expand Down
41 changes: 41 additions & 0 deletions includes/file.phar.inc
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
<?php

use Drupal\Core\Security\PharExtensionInterceptor;
use TYPO3\PharStreamWrapper\Manager as PharStreamWrapperManager;
use TYPO3\PharStreamWrapper\Behavior as PharStreamWrapperBehavior;
use TYPO3\PharStreamWrapper\PharStreamWrapper;

/**
* Registers a phar stream wrapper that is more secure than PHP's built-in one.
*
* @see file_get_stream_wrappers()
*/
function file_register_phar_wrapper() {
$directory = './misc/typo3/phar-stream-wrapper/src';
include_once $directory . '/Assertable.php';
include_once $directory . '/Behavior.php';
include_once $directory . '/Exception.php';
include_once $directory . '/Helper.php';
include_once $directory . '/Manager.php';
include_once $directory . '/PharStreamWrapper.php';
include_once './misc/typo3/drupal-security/PharExtensionInterceptor.php';

// Set up a stream wrapper to handle insecurities due to PHP's built-in
// phar stream wrapper.
try {
$behavior = new PharStreamWrapperBehavior();
PharStreamWrapperManager::initialize(
$behavior->withAssertion(new PharExtensionInterceptor())
);
}
catch (\LogicException $e) {
// Continue if the PharStreamWrapperManager is already initialized.
// For example, this occurs following a drupal_static_reset(), such
// as during tests.
};

// To prevent file_stream_wrapper_valid_scheme() treating "phar" as a valid
// scheme, this is registered with PHP only, not with hook_stream_wrappers()
// or the internal storage of file_get_stream_wrappers().
stream_wrapper_register('phar', '\\TYPO3\\PharStreamWrapper\\PharStreamWrapper');
}
79 changes: 79 additions & 0 deletions misc/typo3/drupal-security/PharExtensionInterceptor.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
<?php

namespace Drupal\Core\Security;

use TYPO3\PharStreamWrapper\Assertable;
use TYPO3\PharStreamWrapper\Helper;
use TYPO3\PharStreamWrapper\Exception;

/**
* An alternate PharExtensionInterceptor to support phar-based CLI tools.
*
* @see \TYPO3\PharStreamWrapper\Interceptor\PharExtensionInterceptor
*/
class PharExtensionInterceptor implements Assertable {

/**
* Determines whether phar file is allowed to execute.
*
* The phar file is allowed to execute if:
* - the base file name has a ".phar" suffix.
* - it is the CLI tool that has invoked the interceptor.
*
* @param string $path
* The path of the phar file to check.
* @param string $command
* The command being carried out.
*
* @return bool
* TRUE if the phar file is allowed to execute.
*
* @throws Exception
* Thrown when the file is not allowed to execute.
*/
public function assert($path, $command) {
if ($this->baseFileContainsPharExtension($path)) {
return TRUE;
}
throw new Exception(
sprintf(
'Unexpected file extension in "%s"',
$path
),
1535198703
);
}

/**
* Determines if a path has a .phar extension or invoked execution.
*
* @param string $path
* The path of the phar file to check.
*
* @return bool
* TRUE if the file has a .phar extension or if the execution has been
* invoked by the phar file.
*/
private function baseFileContainsPharExtension($path) {
$baseFile = Helper::determineBaseFile($path);
if ($baseFile === NULL) {
return FALSE;
}
// If the stream wrapper is registered by invoking a phar file that does
// not not have .phar extension then this should be allowed. For
// example, some CLI tools recommend removing the extension.
$backtrace = debug_backtrace(DEBUG_BACKTRACE_IGNORE_ARGS);
// Find the last entry in the backtrace containing a 'file' key as
// sometimes the last caller is executed outside the scope of a file. For
// example, this occurs with shutdown functions.
do {
$caller = array_pop($backtrace);
} while (empty($caller['file']) && !empty($backtrace));
if (isset($caller['file']) && $baseFile === Helper::determineBaseFile($caller['file'])) {
return TRUE;
}
$fileExtension = pathinfo($baseFile, PATHINFO_EXTENSION);
return strtolower($fileExtension) === 'phar';
}

}
21 changes: 21 additions & 0 deletions misc/typo3/phar-stream-wrapper/LICENSE
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
MIT License

Copyright (c) 2018 TYPO3 project - https://typo3.org/

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
155 changes: 155 additions & 0 deletions misc/typo3/phar-stream-wrapper/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,155 @@
[![Scrutinizer Code Quality](https://scrutinizer-ci.com/g/TYPO3/phar-stream-wrapper/badges/quality-score.png?b=v2)](https://scrutinizer-ci.com/g/TYPO3/phar-stream-wrapper/?branch=v2)
[![Travis CI Build Status](https://travis-ci.org/TYPO3/phar-stream-wrapper.svg?branch=v2)](https://travis-ci.org/TYPO3/phar-stream-wrapper)

# PHP Phar Stream Wrapper

## Abstract & History

Based on Sam Thomas' findings concerning
[insecure deserialization in combination with obfuscation strategies](https://blog.secarma.co.uk/labs/near-phar-dangerous-unserialization-wherever-you-are)
allowing to hide Phar files inside valid image resources, the TYPO3 project
decided back then to introduce a `PharStreamWrapper` to intercept invocations
of the `phar://` stream in PHP and only allow usage for defined locations in
the file system.

Since the TYPO3 mission statement is **inspiring people to share**, we thought
it would be helpful for others to release our `PharStreamWrapper` as standalone
package to the PHP community.

The mentioned security issue was reported to TYPO3 on 10th June 2018 by Sam Thomas
and has been addressed concerning the specific attack vector and for this generic
`PharStreamWrapper` in TYPO3 versions 7.6.30 LTS, 8.7.17 LTS and 9.3.1 on 12th
July 2018.

* https://typo3.org/security/advisory/typo3-core-sa-2018-002/
* https://blog.secarma.co.uk/labs/near-phar-dangerous-unserialization-wherever-you-are
* https://youtu.be/GePBmsNJw6Y

## License

In general the TYPO3 core is released under the GNU General Public License version
2 or any later version (`GPL-2.0-or-later`). In order to avoid licensing issues and
incompatibilities this `PharStreamWrapper` is licenced under the MIT License. In case
you duplicate or modify source code, credits are not required but really appreciated.

## Credits

Thanks to [Alex Pott](https://github.com/alexpott), Drupal for creating
back-ports of all sources in order to provide compatibility with PHP v5.3.

## Installation

The `PharStreamWrapper` is provided as composer package `typo3/phar-stream-wrapper`
and has minimum requirements of PHP v5.3 ([`v2`](https://github.com/TYPO3/phar-stream-wrapper/tree/v2) branch) and PHP v7.0 ([`master`](https://github.com/TYPO3/phar-stream-wrapper) branch).

### Installation for PHP v7.0

```
composer require typo3/phar-stream-wrapper ^3.0
```

### Installation for PHP v5.3

```
composer require typo3/phar-stream-wrapper ^2.0
```

## Example

The following example is bundled within this package, the shown
`PharExtensionInterceptor` denies all stream wrapper invocations files
not having the `.phar` suffix. Interceptor logic has to be individual and
adjusted to according requirements.

```
$behavior = new \TYPO3\PharStreamWrapper\Behavior();
Manager::initialize(
$behavior->withAssertion(new PharExtensionInterceptor())
);

if (in_array('phar', stream_get_wrappers())) {
stream_wrapper_unregister('phar');
stream_wrapper_register('phar', 'TYPO3\\PharStreamWrapper\\PharStreamWrapper');
}
```

* `PharStreamWrapper` defined as class reference will be instantiated each time
`phar://` streams shall be processed.
* `Manager` as singleton pattern being called by `PharStreamWrapper` instances
in order to retrieve individual behavior and settings.
* `Behavior` holds reference to interceptor(s) that shall assert correct/allowed
invocation of a given `$path` for a given `$command`. Interceptors implement
the interface `Assertable`. Interceptors can act individually on following
commands or handle all of them in case not defined specifically:
+ `COMMAND_DIR_OPENDIR`
+ `COMMAND_MKDIR`
+ `COMMAND_RENAME`
+ `COMMAND_RMDIR`
+ `COMMAND_STEAM_METADATA`
+ `COMMAND_STREAM_OPEN`
+ `COMMAND_UNLINK`
+ `COMMAND_URL_STAT`

## Interceptor

The following interceptor is shipped with the package and ready to use in order
to block any Phar invocation of files not having a `.phar` suffix. Besides that
individual interceptors are possible of course.

```
class PharExtensionInterceptor implements Assertable
{
/**
* Determines whether the base file name has a ".phar" suffix.
*
* @param string $path
* @param string $command
* @return bool
* @throws Exception
*/
public function assert($path, $command)
{
if ($this->baseFileContainsPharExtension($path)) {
return true;
}
throw new Exception(
sprintf(
'Unexpected file extension in "%s"',
$path
),
1535198703
);
}

/**
* @param string $path
* @return bool
*/
private function baseFileContainsPharExtension($path)
{
$baseFile = Helper::determineBaseFile($path);
if ($baseFile === null) {
return false;
}
$fileExtension = pathinfo($baseFile, PATHINFO_EXTENSION);
return strtolower($fileExtension) === 'phar';
}
}
```

## Helper

* `Helper::determineBaseFile(string $path)`: Determines base file that can be
accessed using the regular file system. For instance the following path
`phar:///home/user/bundle.phar/content.txt` would be resolved to
`/home/user/bundle.phar`.
* `Helper::resetOpCache()`: Resets PHP's OPcache if enabled as work-around for
issues in `include()` or `require()` calls and OPcache delivering wrong
results. More details can be found in PHP's bug tracker, for instance like
https://bugs.php.net/bug.php?id=66569

## Security Contact

In case of finding additional security issues in the TYPO3 project or in this
`PharStreamWrapper` package in particular, please get in touch with the
[TYPO3 Security Team](mailto:[email protected]).
24 changes: 24 additions & 0 deletions misc/typo3/phar-stream-wrapper/composer.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
{
"name": "typo3/phar-stream-wrapper",
"description": "Interceptors for PHP's native phar:// stream handling",
"type": "library",
"license": "MIT",
"homepage": "https://typo3.org/",
"keywords": ["php", "phar", "stream-wrapper", "security"],
"require": {
"php": "^5.3.3|^7.0"
},
"require-dev": {
"phpunit/phpunit": "^4.8.36"
},
"autoload": {
"psr-4": {
"TYPO3\\PharStreamWrapper\\": "src/"
}
},
"autoload-dev": {
"psr-4": {
"TYPO3\\PharStreamWrapper\\Tests\\": "tests/"
}
}
}
22 changes: 22 additions & 0 deletions misc/typo3/phar-stream-wrapper/src/Assertable.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
<?php
namespace TYPO3\PharStreamWrapper;

/*
* This file is part of the TYPO3 project.
*
* It is free software; you can redistribute it and/or modify it under the terms
* of the MIT License (MIT). For the full copyright and license information,
* please read the LICENSE file that was distributed with this source code.
*
* The TYPO3 project - inspiring people to share!
*/

interface Assertable
{
/**
* @param string $path
* @param string $command
* @return bool
*/
public function assert($path, $command);
}
Loading