class PharExtensionInterceptor

Same name in other branches
  1. 7.x misc/typo3/phar-stream-wrapper/src/Interceptor/PharExtensionInterceptor.php \TYPO3\PharStreamWrapper\Interceptor\PharExtensionInterceptor
  2. 7.x misc/typo3/drupal-security/PharExtensionInterceptor.php \Drupal\Core\Security\PharExtensionInterceptor
  3. 8.9.x core/lib/Drupal/Core/Security/PharExtensionInterceptor.php \Drupal\Core\Security\PharExtensionInterceptor

An alternate PharExtensionInterceptor to support phar-based CLI tools.

@internal

Hierarchy

Expanded class hierarchy of PharExtensionInterceptor

Deprecated

in drupal:9.4.0 and is removed from drupal:10.0.0. No replacement is provided.

See also

https://www.drupal.org/project/drupal/issues/3252439

\TYPO3\PharStreamWrapper\Interceptor\PharExtensionInterceptor

1 file declares its use of PharExtensionInterceptor
DrupalKernel.php in core/lib/Drupal/Core/DrupalKernel.php

File

core/lib/Drupal/Core/Security/PharExtensionInterceptor.php, line 20

Namespace

Drupal\Core\Security
View source 
class PharExtensionInterceptor implements Assertable {
    
    /**
     * Determines whether phar file is allowed to execute.
     *
     * The phar file is allowed to execute if:
     * - the base file name has a ".phar" suffix.
     * - it is the CLI tool that has invoked the interceptor.
     *
     * @param string $path
     *   The path of the phar file to check.
     * @param string $command
     *   The command being carried out.
     *
     * @return bool
     *   TRUE if the phar file is allowed to execute.
     *
     * @throws \TYPO3\PharStreamWrapper\Exception
     *   Thrown when the file is not allowed to execute.
     */
    public function assert(string $path, string $command) : bool {
        if ($this->baseFileContainsPharExtension($path)) {
            return TRUE;
        }
        throw new Exception(sprintf('Unexpected file extension in "%s"', $path), 1535198703);
    }
    
    /**
     * Determines if a path has a .phar extension or invoked execution.
     *
     * @param string $path
     *   The path of the phar file to check.
     *
     * @return bool
     *   TRUE if the file has a .phar extension or if the execution has been
     *   invoked by the phar file.
     */
    private function baseFileContainsPharExtension($path) {
        $baseFile = Helper::determineBaseFile($path);
        if ($baseFile === NULL) {
            return FALSE;
        }
        // If the stream wrapper is registered by invoking a phar file that does
        // not have .phar extension then this should be allowed. For example, some
        // CLI tools recommend removing the extension.
        $backtrace = debug_backtrace(DEBUG_BACKTRACE_IGNORE_ARGS);
        // Find the last entry in the backtrace containing a 'file' key as
        // sometimes the last caller is executed outside the scope of a file. For
        // example, this occurs with shutdown functions.
        do {
            $caller = array_pop($backtrace);
        } while (empty($caller['file']) && !empty($backtrace));
        if (isset($caller['file']) && $baseFile === Helper::determineBaseFile($caller['file'])) {
            return TRUE;
        }
        $fileExtension = pathinfo($baseFile, PATHINFO_EXTENSION);
        return strtolower($fileExtension) === 'phar';
    }

}

Members

Title Modifiers Object type Summary
PharExtensionInterceptor::assert public function Determines whether phar file is allowed to execute.
PharExtensionInterceptor::baseFileContainsPharExtension private function Determines if a path has a .phar extension or invoked execution.

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.