A cikin ɗakin karatu
Masu kirkirar CMS TYPO3 ne suka haɓaka ɗakin karatu, amma kuma ana amfani da su a cikin ayyukan Drupal da Joomla, wanda ke sa su ma su sami rauni. Matsalolin da aka gyara a cikin fitowar
A gefen aiki, rashin lahani a cikin PharStreamWapper yana ba mai amfani da Drupal Core izini tare da izinin 'Mai Gudanarwa' don loda fayil ɗin phar mara kyau kuma ya sa a aiwatar da lambar PHP ɗin da ke cikinta a ƙarƙashin sunan halaltaccen tarihin tarihin phar. Ka tuna cewa ainihin harin "Phar deserialization" shine lokacin da aka bincika fayilolin taimako da aka ɗora na fayil ɗin aikin PHP_exists(), wannan aikin yana lalata metadata ta atomatik daga fayilolin Phar (Taskar PHP) lokacin sarrafa hanyoyin farawa da "phar: //" . Yana yiwuwa a canja wurin fayil na phar azaman hoto, tunda file_exists() aikin yana ƙayyade nau'in MIME ta abun ciki, kuma ba ta tsawo ba.
source: budenet.ru