[#23907] - GeoIP "geoip2.phar" don't work with Joomla 3.9.3
- Closed
- 20 Feb 2019
- Medium
- Build: master
- # 23907
Steps to reproduce the issue
Create library for Joomla with files
geoip2.phar from https://github.com/maxmind/GeoIP2-php
"geoip.php":
include_once('geoip2.phar');
use
jimport('libraryname.geoip');
Expected result
No exceptions, all works as with Joomla 3.9.2
Actual result
Exception:
Failed opening required 'phar://geoip2.phar/vendor/autoload.php
System information (as much as possible)
Joomla 3.9.3
PHP 7.2
Additional comments
i think it is after this fix:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7743
Votes
| Labels |
Added:
?
|
||
This is quick path:
diff --git a/libraries/vendor/typo3/phar-stream-wrapper/src/Interceptor/PharExtensionInterceptor.php b/libraries/vendor/typo3/phar-stream-wrapper/src/Interceptor/PharExtensionInterceptor.php
index db500af..e53c141 100644
--- a/libraries/vendor/typo3/phar-stream-wrapper/src/Interceptor/PharExtensionInterceptor.php
+++ b/libraries/vendor/typo3/phar-stream-wrapper/src/Interceptor/PharExtensionInterceptor.php
@@ -27,6 +27,10 @@
*/
public function assert($path, $command)
{
+ if (preg_match('/^phar:\/\/[a-zA-Z0-9_]+\.phar\/.+\.php$/', $path) === 1) {
+ // Lightweight way to whitelist phar aliases, if they contain ".phar" extension
+ return TRUE;
+ }
if ($this->baseFileContainsPharExtension($path)) {
return true;
}
See TYPO3/phar-stream-wrapper#15 for upstream fix
Patching third party files is only a solution for a temporary fix, this type of change cannot be allowed in the CMS.
Also as pointed out in https://www.drupal.org/project/drupal/issues/3026443 and related conversation, that patch is actually pretty likely to re-introduce security issues.
yes, this is just quick solution that work for me. Without this solution my service dont work... Gets Joomla update with fix in version 3.9.4?
It depends on when the upstream fix is released. The quick fix that you suggested though should not be included in a release because it re-introduces a similar issue that adding that library tries to solve (basically if you're rolling with that patch you're suggesting on a production site you need to be pretty darn certain that no other PHAR files are able to get into your environment, or you should roll a temporary patch that explicitly whitelists only that PHAR).
@jurihahn maybe you can help test TYPO3/phar-stream-wrapper#15 and give the typo3 devs feedback if it works.
3.9.4 release is planned for 12. March so it should be ready a week before.
Quickest thing I can come up with is apply the changes from that repo's src directory to the files in libraries/vendor/typo3/phar-stream-wrapper/src in a Joomla install. There isn't a quick and simple diff to apply and unless you really want to mess with Composer stuff that's probably the easiest choice. You could try mangling the diff from https://patch-diff.githubusercontent.com/raw/TYPO3/phar-stream-wrapper/pull/15.diff to apply to a Joomla install (remove the README and tests directory changes), but no guarantees on that working.
| Status | New | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2019-02-20 15:29:28 |
| Closed_By | ⇒ | joomla-cms-bot |
| Closed_Date | 2019-02-20 15:29:28 | ⇒ | 2019-02-20 15:29:29 |
| Closed_By | joomla-cms-bot | ⇒ | Quy |
Set to "closed" on behalf of @Quy by The JTracker Application at issues.joomla.org/joomla-cms/23907
Please test PR #23956
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/23907.
Please test PR #23956
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/23907.
i found this https://www.drupal.org/project/drupal/issues/3028265
i think Drupal have same problem