Commit b3909cd8 authored by dsnopek's avatar dsnopek Committed by dsnopek

Issue #3026368 by dsnopek: [core] Add D6LTS patch for SA-CORE-2019-002 with fixes from #3026386

parent e7f00cc4
......@@ -83,10 +83,10 @@ index 0000000000..0e198901c8
+}
diff --git a/misc/typo3/drupal-security/PharExtensionInterceptor.php b/misc/typo3/drupal-security/PharExtensionInterceptor.php
new file mode 100644
index 0000000000..a77e9f84c2
index 0000000000..2e1a0cbc8b
--- /dev/null
+++ b/misc/typo3/drupal-security/PharExtensionInterceptor.php
@@ -0,0 +1,73 @@
@@ -0,0 +1,79 @@
+<?php
+
+namespace Drupal\Core\Security;
......@@ -111,7 +111,6 @@ index 0000000000..a77e9f84c2
+ *
+ * @param string $path
+ * The path of the phar file to check.
+ *
+ * @param string $command
+ * The command being carried out.
+ *
......@@ -135,6 +134,8 @@ index 0000000000..a77e9f84c2
+ }
+
+ /**
+ * Determines if a path has a .phar extension or invoked execution.
+ *
+ * @param string $path
+ * The path of the phar file to check.
+ *
......@@ -151,8 +152,13 @@ index 0000000000..a77e9f84c2
+ // not not have .phar extension then this should be allowed. For
+ // example, some CLI tools recommend removing the extension.
+ $backtrace = debug_backtrace(DEBUG_BACKTRACE_IGNORE_ARGS);
+ $caller = array_pop($backtrace);
+ if (isset($caller['file']) && $baseFile === $caller['file']) {
+ // Find the last entry in the backtrace containing a 'file' key as
+ // sometimes the last caller is executed outside the scope of a file. For
+ // example, this occurs with shutdown functions.
+ do {
+ $caller = array_pop($backtrace);
+ } while (empty($caller['file']) && !empty($backtrace));
+ if (isset($caller['file']) && $baseFile === Helper::determineBaseFile($caller['file'])) {
+ return TRUE;
+ }
+ $fileExtension = pathinfo($baseFile, PATHINFO_EXTENSION);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment