stable

php-brumann-polyfill-unserialize-1.0.3-1.el7 and php-typo3-phar-stream-wrapper2-2.1.2-1.el7

FEDORA-EPEL-2019-24edff97c6 created by siwinski 5 years ago for Fedora EPEL 7

php-typo3-phar-stream-wrapper2

v2.1.2 Handling mime-type & Windows paths

Resolved Issues

  • #34: Normalize resolved Windows path to Unix-style
  • #42: Avoid analysing non-phar files on alias resolving
  • #40: Add Windows tests using AppVeyor
  • #33: Add alternative mime-type resolving (without ext-fileinfo)

v2.1.1 Phar Alias Handling & Performance

Releases v3.1.1 and v.2.1.1 aim to overcome drawbacks in Phar's alias resolving from Phar stub as well as solving performance aspects.

v2.1.0 Phar Alias Handling

Description

Releases v3.1.0 and v.2.1.0 aim to overcome drawbacks in Phar's alias resolving (either by Phar archives using Phar::setAlias() in meta-data or Phar::mapPhar() in stub code).

Merged pull-requests

  • Phar alias resolving (v3: #10, #12, v2: #14, #15)
  • Phar alias handling and (v3: #16, #17, v2: #20)

Migration

In case custom Assertable interceptors have been used, path resolving has to be adjusted in order to make use of alias resolving features.

before - example in v3.0.1
$baseFile = Helper::determineBaseFile($path);
after - example in v3.1.0
$invocation = Manager::instance()->resolve($path);
$baseName = $invocation->getBaseName(); // previously called $baseFile

Open Issues

There have been reports about flaws using stream_select() and according stream_cast() in PharStreamWrapper. Since it was not possible to reproduce the behavior in an isolated scenario and specific platform requiresments were not clear, these aspects have not been covered by these releses - see #8 and #19 for details.

Features

  • added low-level Phar\Reader for stub & meta-data (incl. alias) and their model representations
  • added Resolver\PharInvocationResolver in order to resolve/handle alias names
  • added Interceptor\ConjunctionInterceptor for combining multiple interceptors
  • added Interceptor\PharMetaDataInterceptor for actually testing against insecure deserialization in meta-data of Phar archives

php-brumann-polyfill-unserialize

Backports unserialize options introduced in PHP 7.0 to older PHP versions. This was originally designed as a Proof of Concept for Symfony Issue #21090.

You can use this package in projects that rely on PHP versions older than PHP 7.0. In case you are using PHP 7.0+ the original unserialize() will be used instead.

From the documentation:

Warning: Do not pass untrusted user input to unserialize(). Unserialization can result in code being loaded and executed due to object instantiation and autoloading, and a malicious user may be able to exploit this.

This warning holds true even when allowed_classes is used.

This update has been submitted for testing by siwinski.

5 years ago

This update test gating status has been changed to 'waiting'.

5 years ago

This update test gating status has been changed to 'ignored'.

5 years ago

This update has been pushed to testing.

5 years ago

This update has reached 14 days in testing and can be pushed to stable now if the maintainer wishes

5 years ago

This update has been submitted for stable by siwinski.

5 years ago

This update has been pushed to stable.

5 years ago

Please login to add feedback.

Metadata
Type
security
Severity
medium
Karma
0
Signed
Content Type
RPM
Test Gating
Autopush Settings
Unstable by Karma
-3
Stable by Karma
3
Stable by Time
disabled
Dates
submitted
5 years ago
in testing
5 years ago
in stable
5 years ago
BZ#1707960 Review Request: php-brumann-polyfill-unserialize - Backports unserialize options introduced in PHP 7.0
0
0
BZ#1708646 CVE-2019-11830 phar-stream-wrapper: mishandling of phar stub parsing leads to bypass a deserialization of protection mechanism
0
0
BZ#1708649 CVE-2019-11831 phar-stream-wrapper: TYP03 does not prevent directory traversal resulting in bypass of deserialization of protection mechanism
0
0
BZ#1708652 CVE-2019-11830 CVE-2019-11831 php-typo3-phar-stream-wrapper2: various flaws [fedora-all]
0
0
BZ#1708653 CVE-2019-11830 CVE-2019-11831 php-typo3-phar-stream-wrapper2: various flaws [epel-7]
0
0

Automated Test Results