Laebraring , e fanang ka bahlokomeli ho itšireletsa khahlanong le ka ho kenya faele sebakeng sa "Phar", (), e o lumellang ho feta ts'ireletso ea "deerialization ea khoutu" ka ho kenya ".." litlhaku tse tseleng. Ka mohlala, mohlaseli a ka sebelisa URL e kang "phar:///path/bad.phar/../good.phar" bakeng sa tlhaselo, 'me laeborari e tla totobatsa lebitso la motheo "/path/good.phar" ha ho hlahloba, le hoja nakong ea ts'ebetso e tsoelang pele ea tsela e joalo Ho tla sebelisoa faele "/path/bad.phar".
Laebrari e entsoe ke baetsi ba CMS TYPO3, empa e boetse e sebelisoa mererong ea Drupal le Joomla, e leng se etsang hore le bona ba be kotsing ea ho ba kotsing. Taba e lokisitsoe likhatisong . Morero oa Drupal o ile oa lokisa bothata ka lintlafatso 7.67, 8.6.16 le 8.7.1. Ho Joomla bothata bo hlaha ho tloha ho mofuta oa 3.9.3 mme bo ile ba lokisoa tokollong ea 3.9.6. Ho lokisa bothata ho TYPO3, o hloka ho nchafatsa laeborari ea PharStreamWapper.
Ka lehlakoreng le sebetsang, ho ba kotsing ho PharStreamWapper ho lumella mosebelisi oa Drupal Core ea nang le tumello ea 'Administer theme' ho kenya faele e mpe ea phar le ho etsa hore khoutu ea PHP e ho eona e etsoe ka boikaketsi ba polokelo ea molao ea phar. Hopola hore moelelo oa tlhaselo ea "Phar deserialization" ke hore ha u sheba lifaele tsa thuso tse laetsoeng tsa PHP file_exists (), ts'ebetso ena e tlosa metadata ka bo eona ho tsoa lifaeleng tsa Phar (PHP Archive) ha o lokisa litsela tse qalang ka "phar://" . Hoa khoneha ho fetisetsa faele ea phar e le setšoantšo, kaha file_exists () mosebetsi o khetholla mofuta oa MIME ka litaba, eseng ka ho atolosa.
Source: opennet.ru