Task #66740
closed
Issue #66263 patch do not work with suhosin.executor.disable_eval
Added by Matthias Toscanelli over 9 years ago.
Updated about 7 years ago.
Category:
Extension Manager
Description
The patch for issue 66263 introduces use of PHP function "eval".
TYPO3 can run with "suhosin.executor.disable_eval" that prevent most of hackers obfuscated intrusion.
Before this patch, "eval" was only used in core:
- for testing purpose
- to migrate localconf to LocalConfiguration (TYPO3\CMS\Install\Controller\StepController::migrateLocalconfToLocalConfigurationIfNeeded)
- for ADOBD_text (ADODB_text::_query)
In production testing is never used and localconf has already be migrated.
In case of using ADODB_text, "eval" can not be disabled.
In this patch, "eval" is used to dynamically rename the "ext_update" class name to prevent two "ext_update" when name-spaces are not used.
We could simple change this by generating a temporary PHP file in "typo3temp" with the PHP code, include it and then remove it.
I tried to push the code to Gerrit, but without success.
Here's a simple solution to put this in place.
/**
* Checks if an update class file exists.
* Does not check if some update is needed.
*
* @param string $extensionKey Extension key
* @return bool True, if there is some update script
* @throws \TYPO3\CMS\Extensionmanager\Exception\ExtensionManagerException
*/
public function checkUpdateScriptExists($extensionKey) {
$updateScriptCanBeCalled = FALSE;
$updateScript = $this->getUpdateFileLocation($extensionKey);
if (file_exists($updateScript)) {
// get script contents
$scriptSourceCode = GeneralUtility::getUrl($updateScript);
// check if it has a namespace
if (!preg_match('/<\?php.*namespace\s+([^;]+);.*class/is', $scriptSourceCode, $matches)) {
// if no, rename the class with a unique name
$className = uniqid('ext_update');
$scriptSourceCode = preg_replace('/^\s*class\s+ext_update\s+/m', 'class ' . $className . ' ', $scriptSourceCode);
// load class and call access function
if (!preg_match('/\?>$/is', $scriptSourceCode)) {
$scriptSourceCode .= '?>';
}
$classFilename = \TYPO3\CMS\Core\Utility\GeneralUtility::tempnam($extensionKey.'_', '.php');
$written = \TYPO3\CMS\Core\Utility\GeneralUtility::writeFileToTypo3tempDir($classFilename, $scriptSourceCode);
if ($written !== NULL){
throw new \TYPO3\CMS\Extensionmanager\Exception\ExtensionManagerException(
sprintf('Unable to rewrite class.ext_update.php: ' . $written, $extensionKey),
1430571633
);
}
include_once($classFilename);
unlink($classFilename);
} else {
$className = $matches[1] . '\ext_update';
include_once($updateScript);
}
if (!class_exists($className)) {
throw new \TYPO3\CMS\Extensionmanager\Exception\ExtensionManagerException(
sprintf('class.ext_update.php of extension "%s" did not declare ext_update class', $extensionKey),
1428176468
);
}
$updater = GeneralUtility::makeInstance($className);
$updateScriptCanBeCalled = $updater->access();
}
return $updateScriptCanBeCalled;
}
This solution could be improved by using the TYPO3 cache to remember the generated classes and therefore do not have to regenerate every time.
We are currently discussing what to do with this issue. Stay tuned for more infomration soon
- Target version set to 6.2.13
- Status changed from New to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/39467
Please test the patch and vote. Thanks
Patch set 1 for branch TYPO3_6-2 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/39478
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
- Status changed from Resolved to Closed
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by