[Summary view] [Print] [Text view]

   1  <?php
   2  declare(strict_types=1);
   3  namespace TYPO3\PharStreamWrapper\Interceptor;
   4  
   5  /*
   6   * This file is part of the TYPO3 project.
   7   *
   8   * It is free software; you can redistribute it and/or modify it under the terms
   9   * of the MIT License (MIT). For the full copyright and license information,
  10   * please read the LICENSE file that was distributed with this source code.
  11   *
  12   * The TYPO3 project - inspiring people to share!
  13   */
  14  
  15  use TYPO3\PharStreamWrapper\Assertable;
  16  use TYPO3\PharStreamWrapper\Exception;
  17  use TYPO3\PharStreamWrapper\Manager;
  18  use TYPO3\PharStreamWrapper\Phar\DeserializationException;
  19  use TYPO3\PharStreamWrapper\Phar\Reader;
  20  
  21  /**
  22   * @internal Experimental implementation of checking against serialized objects in Phar meta-data
  23   * @internal This functionality has not been 100% pentested...
  24   */
  25  class PharMetaDataInterceptor implements Assertable
  26  {
  27      /**
  28       * Determines whether the according Phar archive contains
  29       * (potential insecure) serialized objects.
  30       *
  31       * @param string $path
  32       * @param string $command
  33       * @return bool
  34       * @throws Exception
  35       */
  36      public function assert(string $path, string $command): bool
  37      {
  38          if ($this->baseFileDoesNotHaveMetaDataIssues($path)) {
  39              return true;
  40          }
  41          throw new Exception(
  42              sprintf(
  43                  'Problematic meta-data in "%s"',
  44                  $path
  45              ),
  46              1539632368
  47          );
  48      }
  49  
  50      /**
  51       * @param string $path
  52       * @return bool
  53       */
  54      private function baseFileDoesNotHaveMetaDataIssues(string $path): bool
  55      {
  56          $invocation = Manager::instance()->resolve($path);
  57          if ($invocation === null) {
  58              return false;
  59          }
  60          // directly return in case invocation was checked before
  61          if ($invocation->getVariable(self::class) === true) {
  62              return true;
  63          }
  64          // otherwise analyze meta-data
  65          try {
  66              $reader = new Reader($invocation->getBaseName());
  67              $reader->resolveContainer()->getManifest()->deserializeMetaData();
  68              $invocation->setVariable(self::class, true);
  69          } catch (DeserializationException $exception) {
  70              return false;
  71          }
  72          return true;
  73      }
  74  }