PHP download

Download the PHP package typo3/phar-stream-wrapper without Composer

On this page you can find all versions of the php package typo3/phar-stream-wrapper. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

Table of contents
Download typo3/phar-stream-wrapper
More information about typo3/phar-stream-wrapper
Files in typo3/phar-stream-wrapper

Vendor typo3
Package phar-stream-wrapper
Short Description Interceptors for PHP's native phar:// stream handling
License MIT
Homepage https://typo3.org/

Keywords php security phar stream-wrapper

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:

If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.

Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
To use Composer is sometimes complicated. Especially for beginners.
Composer needs much resources. Sometimes they are not available on a simple webspace.
If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.

Please rate this library. Is it a good library?

Informations about the package phar-stream-wrapper

PHP Phar Stream Wrapper

Abstract & History

Based on Sam Thomas' findings concerning insecure deserialization in combination with obfuscation strategies allowing to hide Phar files inside valid image resources, the TYPO3 project decided back then to introduce a PharStreamWrapper to intercept invocations of the phar:// stream in PHP and only allow usage for defined locations in the file system.

Since the TYPO3 mission statement is inspiring people to share, we thought it would be helpful for others to release our PharStreamWrapper as standalone package to the PHP community.

The mentioned security issue was reported to TYPO3 on 10th June 2018 by Sam Thomas and has been addressed concerning the specific attack vector and for this generic PharStreamWrapper in TYPO3 versions 7.6.30 LTS, 8.7.17 LTS and 9.3.1 on 12th July 2018.

With PHP 8.0.0 the default behavior changed and meta-data is not deserialized automatically anymore:

License

In general the TYPO3 core is released under the GNU General Public License version 2 or any later version (GPL-2.0-or-later). In order to avoid licensing issues and incompatibilities this PharStreamWrapper is licenced under the MIT License. In case you duplicate or modify source code, credits are not required but really appreciated.

Credits

Thanks to Alex Pott, Drupal for creating back-ports of all sources in order to provide compatibility with PHP v5.3.

Installation

The PharStreamWrapper is provided as composer package typo3/phar-stream-wrapper and has minimum requirements of PHP v5.3 (v2 branch) and PHP v7.0 (master branch).

Installation for PHP v7.0

Installation for PHP v5.3

Example

The following example is bundled within this package, the shown PharExtensionInterceptor denies all stream wrapper invocations files not having the .phar suffix. Interceptor logic has to be individual and adjusted to according requirements.

PharStreamWrapper defined as class reference will be instantiated each time phar:// streams shall be processed.
Manager as singleton pattern being called by PharStreamWrapper instances in order to retrieve individual behavior and settings.
Behavior holds reference to interceptor(s) that shall assert correct/allowed invocation of a given $path for a given $command. Interceptors implement the interface Assertable. Interceptors can act individually on following commands or handle all of them in case not defined specifically:
- COMMAND_DIR_OPENDIR
- COMMAND_MKDIR
- COMMAND_RENAME
- COMMAND_RMDIR
- COMMAND_STEAM_METADATA
- COMMAND_STREAM_OPEN
- COMMAND_UNLINK
- COMMAND_URL_STAT

Interceptors

The following interceptor is shipped with the package and ready to use in order to block any Phar invocation of files not having a .phar suffix. Besides that individual interceptors are possible of course.

ConjunctionInterceptor

This interceptor combines multiple interceptors implementing Assertable. It succeeds when all nested interceptors succeed as well (logical AND).

PharExtensionInterceptor

This (basic) interceptor just checks whether the invoked Phar archive has an according .phar file extension. Resolving symbolic links as well as Phar internal alias resolving are considered as well.

PharMetaDataInterceptor

This interceptor is actually checking serialized Phar meta-data against PHP objects and would consider a Phar archive malicious in case not only scalar values are found. A custom low-level Phar\Reader is used in order to avoid using PHP's Phar object which would trigger the initial vulnerability.

Reader

Phar\Reader::__construct(string $fileName): Creates low-level reader for Phar archive
Phar\Reader::resolveContainer(): Phar\Container: Resolves model representing Phar archive
Phar\Container::getStub(): Phar\Stub: Resolves (plain PHP) stub section of Phar archive
Phar\Container::getManifest(): Phar\Manifest: Resolves parsed Phar archive manifest as documented at http://php.net/manual/en/phar.fileformat.manifestfile.php
Phar\Stub::getMappedAlias(): string: Resolves internal Phar archive alias defined in stub using Phar::mapPhar('alias.phar') - actually the plain PHP source is analyzed here
Phar\Manifest::getAlias(): string - Resolves internal Phar archive alias defined in manifest using Phar::setAlias('alias.phar')
Phar\Manifest::getMetaData(): string: Resolves serialized Phar archive meta-data
Phar\Manifest::deserializeMetaData(): mixed: Resolves deserialized Phar archive meta-data containing only scalar values - in case an object is determined, an according Phar\DeserializationException will be thrown

Helper

Helper::determineBaseFile(string $path): string: Determines base file that can be accessed using the regular file system. For instance the following path phar:///home/user/bundle.phar/content.txt would be resolved to /home/user/bundle.phar.
Helper::resetOpCache(): Resets PHP's OPcache if enabled as work-around for issues in include() or require() calls and OPcache delivering wrong results. More details can be found in PHP's bug tracker, for instance like https://bugs.php.net/bug.php?id=66569

Security Contact

In case of finding additional security issues in the TYPO3 project or in this PharStreamWrapper package in particular, please get in touch with the TYPO3 Security Team.

All versions of phar-stream-wrapper with dependencies

PHP Build Version

Package Version

Version v3.1.7 Release 20. Sep 2021
create-project require 4 people choosed require and
0 people choosed create-project.

Download

Download latest version of phar-stream-wrapper from vendor typo3

Requires php Version ^7.0 || ^8.0
ext-json Version *

Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package typo3/phar-stream-wrapper contains the following files

Loading the files please wait ....