projects / civicrm-core.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 7d76657) | patch
security/core#60 - Fix PHP Object Injection via Phar Deserialization
authorPatrick Figel <pfigel@greenpeace.org>
Tue, 18 Feb 2020 19:44:11 +0000 (20:44 +0100)
committerSeamus Lee <seamuslee001@gmail.com>
Sat, 11 Apr 2020 20:49:43 +0000 (06:49 +1000)
commitbc95d82c443a61917298fcd002ba8bd478e9cb12
tree62f8af37e6c9597ea44ac6077ab6e34c2f445655tree | snapshot (zip tar.gz)
parent7d766578a67c0725a63f6ce4df447bece46e4c0ccommit | diff
security/core#60 - Fix PHP Object Injection via Phar Deserialization

This mitigates Phar deserialization vulnerabilities by registering an
alternative Phar stream wrapper that filters out insecure Phar files.

PHP makes it possible to trigger Object Injection vulnerabilities by using
a side-effect of the phar:// stream wrapper that unserializes Phar
metadata. To mitigate this vulnerability, projects such as TYPO3 and Drupal
have implemented an alternative Phar stream wrapper that disallows
inclusion of phar files based on certain parameters. This change implements
a similar approach for Civi in environments where the vulnerability isn't
mitigated by the CMS.

Fixes security/core#60
CRM/Core/Invoke.php diff | blob | blame | history
Civi/Core/Security/PharExtensionInterceptor.php [new file with mode: 0644] blob
composer.json diff | blob | blame | history
composer.lock diff | blob | blame | history