You are here

class PharExtensionInterceptor in Drupal 8

Same name and namespace in other branches
  1. 7 misc/typo3/drupal-security/PharExtensionInterceptor.php \Drupal\Core\Security\PharExtensionInterceptor
  2. 9 core/lib/Drupal/Core/Security/PharExtensionInterceptor.php \Drupal\Core\Security\PharExtensionInterceptor

An alternate PharExtensionInterceptor to support phar-based CLI tools.

Hierarchy

Expanded class hierarchy of PharExtensionInterceptor

See also

\TYPO3\PharStreamWrapper\Interceptor\PharExtensionInterceptor

1 file declares its use of PharExtensionInterceptor
DrupalKernel.php in core/lib/Drupal/Core/DrupalKernel.php

File

core/lib/Drupal/Core/Security/PharExtensionInterceptor.php, line 14

Namespace

Drupal\Core\Security
View source
class PharExtensionInterceptor implements Assertable {

  /**
   * Determines whether phar file is allowed to execute.
   *
   * The phar file is allowed to execute if:
   * - the base file name has a ".phar" suffix.
   * - it is the CLI tool that has invoked the interceptor.
   *
   * @param string $path
   *   The path of the phar file to check.
   * @param string $command
   *   The command being carried out.
   *
   * @return bool
   *   TRUE if the phar file is allowed to execute.
   *
   * @throws \TYPO3\PharStreamWrapper\Exception
   *   Thrown when the file is not allowed to execute.
   */
  public function assert(string $path, string $command) : bool {
    if ($this
      ->baseFileContainsPharExtension($path)) {
      return TRUE;
    }
    throw new Exception(sprintf('Unexpected file extension in "%s"', $path), 1535198703);
  }

  /**
   * Determines if a path has a .phar extension or invoked execution.
   *
   * @param string $path
   *   The path of the phar file to check.
   *
   * @return bool
   *   TRUE if the file has a .phar extension or if the execution has been
   *   invoked by the phar file.
   */
  private function baseFileContainsPharExtension($path) {
    $baseFile = Helper::determineBaseFile($path);
    if ($baseFile === NULL) {
      return FALSE;
    }

    // If the stream wrapper is registered by invoking a phar file that does
    // not have .phar extension then this should be allowed. For example, some
    // CLI tools recommend removing the extension.
    $backtrace = debug_backtrace(DEBUG_BACKTRACE_IGNORE_ARGS);

    // Find the last entry in the backtrace containing a 'file' key as
    // sometimes the last caller is executed outside the scope of a file. For
    // example, this occurs with shutdown functions.
    do {
      $caller = array_pop($backtrace);
    } while (empty($caller['file']) && !empty($backtrace));
    if (isset($caller['file']) && $baseFile === Helper::determineBaseFile($caller['file'])) {
      return TRUE;
    }
    $fileExtension = pathinfo($baseFile, PATHINFO_EXTENSION);
    return strtolower($fileExtension) === 'phar';
  }

}

Members

Namesort descending Modifiers Type Description Overrides
PharExtensionInterceptor::assert public function Determines whether phar file is allowed to execute.
PharExtensionInterceptor::baseFileContainsPharExtension private function Determines if a path has a .phar extension or invoked execution.