projects / civicrm-core.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: a0f864f) | patch
security/core#60 - Fix PHP Object Injection via Phar Deserialization
authorPatrick Figel <pfigel@greenpeace.org>
Tue, 18 Feb 2020 19:44:11 +0000 (20:44 +0100)
committerSeamus Lee <seamuslee001@gmail.com>
Thu, 16 Apr 2020 01:03:21 +0000 (11:03 +1000)
commit2d38c68770e123f24f3b5d1db1ce0944148de6be
tree5f9dd1f66fba708b80acf79e37c6da15c4328343tree | snapshot (zip tar.gz)
parenta0f864fd7be92b53ff3a9d36dda4aa3491470c7bcommit | diff
security/core#60 - Fix PHP Object Injection via Phar Deserialization

This mitigates Phar deserialization vulnerabilities by registering an
alternative Phar stream wrapper that filters out insecure Phar files.

PHP makes it possible to trigger Object Injection vulnerabilities by using
a side-effect of the phar:// stream wrapper that unserializes Phar
metadata. To mitigate this vulnerability, projects such as TYPO3 and Drupal
have implemented an alternative Phar stream wrapper that disallows
inclusion of phar files based on certain parameters. This change implements
a similar approach for Civi in environments where the vulnerability isn't
mitigated by the CMS.

Fixes security/core#60
CRM/Core/Invoke.php diff | blob | blame | history
Civi/Core/Security/PharExtensionInterceptor.php [new file with mode: 0644] blob
composer.json diff | blob | blame | history
composer.lock diff | blob | blame | history