typo3/phar-stream-wrapper
's direct dependencies. Data on all dependencies, including transitive ones, is available via CSV download.Name | Version | Size | License | Type | Vulnerabilities |
---|
The typo3/phar-stream-wrapper
package is a powerful tool designed to mitigate potential security vulnerabilities associated with PHP's native phar://
stream handling. Inspired by research on insecure deserialization and obfuscation strategies, TYPO3 aims to introduce a PharStreamWrapper that intercepts the invocation of phar://
streams in PHP, restricting its usage to only predefined locations in the file system. The core benefit of this is to prevent potential obscure and insecure file inclusion within resources such as images.
To use the typo3/phar-stream-wrapper
, you first need to install it via composer package. For PHP v7.0 installation use the following command:
composer require typo3/phar-stream-wrapper ^3.0
For PHP v5.3 use this command:
composer require typo3/phar-stream-wrapper ^2.0
After you have installed the typo3/phar-stream-wrapper
, you can use it in your PHP code. An example of how to use typo3/phar-stream-wrapper
is as follows:
$behavior = new \TYPO3\PharStreamWrapper\Behavior();
\TYPO3\PharStreamWrapper\Manager::initialize(
$behavior->withAssertion(new PharExtensionInterceptor())
);
if (in_array('phar', stream_get_wrappers())) {
stream_wrapper_unregister('phar');
stream_wrapper_register('phar', 'TYPO3\\PharStreamWrapper\\PharStreamWrapper');
}
In this example, the PharStreamWrapper
denies all stream wrapper invocations files not having the .phar
suffix.
Notably, the guide and information for typo3/phar-stream-wrapper
can be found directly in the package's README on the associated GitHub page. This README file contains valuable information including the installation process, various examples, ways to use interceptors, and using the Reader and Helper function. Remember to refer to this resource for an in-depth understanding about using the typo3/phar-stream-wrapper
effectively.