Task #66740
closed
Issue #66263 patch do not work with suhosin.executor.disable_eval
100%
Description
The patch for issue 66263 introduces use of PHP function "eval".
TYPO3 can run with "suhosin.executor.disable_eval" that prevent most of hackers obfuscated intrusion.
Before this patch, "eval" was only used in core:- for testing purpose
- to migrate localconf to LocalConfiguration (TYPO3\CMS\Install\Controller\StepController::migrateLocalconfToLocalConfigurationIfNeeded)
- for ADOBD_text (ADODB_text::_query)
In production testing is never used and localconf has already be migrated.
In case of using ADODB_text, "eval" can not be disabled.
In this patch, "eval" is used to dynamically rename the "ext_update" class name to prevent two "ext_update" when name-spaces are not used.
We could simple change this by generating a temporary PHP file in "typo3temp" with the PHP code, include it and then remove it.
Updated by Matthias Toscanelli over 9 years ago
I tried to push the code to Gerrit, but without success.
Here's a simple solution to put this in place.
/**
* Checks if an update class file exists.
* Does not check if some update is needed.
*
* @param string $extensionKey Extension key
* @return bool True, if there is some update script
* @throws \TYPO3\CMS\Extensionmanager\Exception\ExtensionManagerException
*/
public function checkUpdateScriptExists($extensionKey) {
$updateScriptCanBeCalled = FALSE;
$updateScript = $this->getUpdateFileLocation($extensionKey);
if (file_exists($updateScript)) {
// get script contents
$scriptSourceCode = GeneralUtility::getUrl($updateScript);
// check if it has a namespace
if (!preg_match('/<\?php.*namespace\s+([^;]+);.*class/is', $scriptSourceCode, $matches)) {
// if no, rename the class with a unique name
$className = uniqid('ext_update');
$scriptSourceCode = preg_replace('/^\s*class\s+ext_update\s+/m', 'class ' . $className . ' ', $scriptSourceCode);
// load class and call access function
if (!preg_match('/\?>$/is', $scriptSourceCode)) {
$scriptSourceCode .= '?>';
}
$classFilename = \TYPO3\CMS\Core\Utility\GeneralUtility::tempnam($extensionKey.'_', '.php');
$written = \TYPO3\CMS\Core\Utility\GeneralUtility::writeFileToTypo3tempDir($classFilename, $scriptSourceCode);
if ($written !== NULL){
throw new \TYPO3\CMS\Extensionmanager\Exception\ExtensionManagerException(
sprintf('Unable to rewrite class.ext_update.php: ' . $written, $extensionKey),
1430571633
);
}
include_once($classFilename);
unlink($classFilename);
} else {
$className = $matches[1] . '\ext_update';
include_once($updateScript);
}
if (!class_exists($className)) {
throw new \TYPO3\CMS\Extensionmanager\Exception\ExtensionManagerException(
sprintf('class.ext_update.php of extension "%s" did not declare ext_update class', $extensionKey),
1428176468
);
}
$updater = GeneralUtility::makeInstance($className);
$updateScriptCanBeCalled = $updater->access();
}
return $updateScriptCanBeCalled;
}
This solution could be improved by using the TYPO3 cache to remember the generated classes and therefore do not have to regenerate every time.
Updated by Wouter Wolters over 9 years ago
We are currently discussing what to do with this issue. Stay tuned for more infomration soon
Updated by
Updated by Gerrit Code Review over 9 years ago
- Status changed from New to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/39467
Updated by
Updated by Gerrit Code Review over 9 years ago
Patch set 1 for branch TYPO3_6-2 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/39478
Updated by Jigal van Hemert over 9 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 88dd489847cc0e8bfa22f003682b4ea4a980daf5.
Updated by Riccardo De Contardi about 7 years ago
- Status changed from Resolved to Closed