Add a check for phar in stream wrappers. #24
Conversation
This resolves an issue whereby the phpstan phar would try to be loaded even if phar has not been registered as a stream wrapper in PHP.
jbarton123
changed the title
|
Hi, is this related to magento/magento2#21973? I think that this isn't right, because it will cause other things to silently fail. This bootstrap is here because if you install I'd rather have some exception thrown from the bootstrap if the |
|
Hi Ondre I see what you mean. I have updated the pull request to thrown an exception if the phar wrapper is not registered. |
bootstrap.php
Outdated
| @@ -1,5 +1,9 @@ | |||
| <?php | |||
|
|
|||
| if (!in_array('phar', stream_get_wrappers())) { | |||
There was a problem hiding this comment.
Please add 3rd parameter true.
bootstrap.php
Outdated
| @@ -1,5 +1,9 @@ | |||
| <?php | |||
|
|
|||
| if (!in_array('phar', stream_get_wrappers())) { | |||
| throw new \Exception('Phar wrapper is not registered. Please review your php.ini settings'); | |||
There was a problem hiding this comment.
Please add dot . at the end.
|
Thanks a lot! |
This resolves an issue whereby the phpstan phar would try to be loaded even if
phar has not been registered as a stream wrapper in PHP.
This is prevalant in Magento >=2.2.8 as there now exists a line which unregisters 'phar' from stream wrappers in the bootstrap.php file.
https://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update (
PRODSECBUG-2261: Arbitrary code execution due to unsafe deserialization of a PHP archive)If PhpStan is loaded via the composer autoloader it causes magento commands to fail with this error -