A cikin ɗakin karatu , wanda ke ba da masu kulawa don kariya daga ta hanyar sauya fayil a cikin tsarin "Phar", (), wanda ke ba ka damar ƙetare kariyar lalata lambar ta hanyar maye gurbin haruffa "..." a hanya. Misali, maharin zai iya amfani da URL kamar “phar:///path/bad.phar/.../good.phar” don hari, kuma ɗakin karatu zai haskaka sunan tushe “/path/good.phar” lokacin da dubawa, kodayake yayin ci gaba da sarrafa irin wannan hanyar Za a yi amfani da fayil ɗin "/path/bad.phar".
Masu kirkirar CMS TYPO3 ne suka haɓaka ɗakin karatu, amma kuma ana amfani da su a cikin ayyukan Drupal da Joomla, wanda ke sa su ma su sami rauni. Matsalolin da aka gyara a cikin fitowar . Aikin Drupal ya daidaita batun a cikin sabuntawa 7.67, 8.6.16 da 8.7.1. A cikin Joomla matsalar ta bayyana tun daga sigar 3.9.3 kuma an gyara ta a cikin sakin 3.9.6. Don gyara matsalar a cikin TYPO3, kuna buƙatar sabunta ɗakin karatu na PharStreamWapper.
A gefen aiki, rashin lahani a cikin PharStreamWapper yana ba mai amfani da Drupal Core izini tare da izinin 'Mai Gudanarwa' don loda fayil ɗin phar mara kyau kuma ya sa a aiwatar da lambar PHP ɗin da ke cikinta a ƙarƙashin sunan halaltaccen tarihin tarihin phar. Ka tuna cewa ainihin harin "Phar deserialization" shine lokacin da aka bincika fayilolin taimako da aka ɗora na fayil ɗin aikin PHP_exists(), wannan aikin yana lalata metadata ta atomatik daga fayilolin Phar (Taskar PHP) lokacin sarrafa hanyoyin farawa da "phar: //" . Yana yiwuwa a canja wurin fayil na phar azaman hoto, tunda file_exists() aikin yana ƙayyade nau'in MIME ta abun ciki, kuma ba ta tsawo ba.
source: budenet.ru