PharLoader
in package
The `phar://` handler decides when/if to load data from PHAR files.
The helpers can inspect the PHAR handling and register a preferred PHAR handler.
Table of Contents
Methods
- isPharLoadingEnabled() : bool
- Does the system have any kind of support for reading phar://? Or has it been completely disabled?
- isWrapperInstantiated() : bool
- register() : mixed
- Register an alternative phar:// stream wrapper to filter out insecure Phars
Methods
isPharLoadingEnabled()
Does the system have any kind of support for reading phar://? Or has it been completely disabled?
public
static isPharLoadingEnabled() : bool
- This will return TRUE in a vanilla PHP process (with default handler).
- It will also return TRUE if someone (such as Drupal, Joomla, or CiviCRM) has registered a wrapper.
- However, it can return FALSE if someone (such as Backdrop Web) has disabled support.
Return values
boolisWrapperInstantiated()
public
static isWrapperInstantiated() : bool
Return values
boolregister()
Register an alternative phar:// stream wrapper to filter out insecure Phars
public
static register() : mixed
PHP makes it possible to trigger Object Injection vulnerabilities by using a side-effect of the phar:// stream wrapper that unserializes Phar metadata. To mitigate this vulnerability, projects such as TYPO3 and Drupal have implemented an alternative Phar stream wrapper that disallows inclusion of phar files based on certain parameters.
This code attempts to register the TYPO3 Phar stream wrapper using the interceptor defined in \Civi\Core\Security\PharExtensionInterceptor. In an environment where the stream wrapper was already registered via \TYPO3\PharStreamWrapper\Manager (i.e. Drupal), this code does not do anything. In other environments (e.g. WordPress, at the time of this writing), the TYPO3 library is used to register the interceptor to mitigate the vulnerability.