Allow whitelisting stream wrappers in File::prohibitWrappers() (#4881)#4884
Closed
YoussefMansour9 wants to merge 1 commit into
Closed
Allow whitelisting stream wrappers in File::prohibitWrappers() (#4881)#4884YoussefMansour9 wants to merge 1 commit into
YoussefMansour9 wants to merge 1 commit into
Conversation
The prohibitWrappers() method was added as part of a security advisory but is too strict: it blocks all stream wrappers with multi-character schemes, including legitimate ones like vfs:// used by the vfsStream testing library. This adds an allowStreamWrappers() method to whitelist specific wrappers, and modifies prohibitWrappers() to skip blocked schemes only when they are not in the allowed list.
YoussefMansour9
force-pushed
the
fix/allow-stream-wrappers
branch
from
34c9286 to
1b28e3c
Compare
Collaborator
|
Thank you for submitting this. I encourage you to continue to look for outstanding issues which you can solve. Unfortunately, both of the issues which you have chosen to address today come with complications - one has security implications, and one involves a potential breaking change. For those reasons, I need to reject them both. I truly hope this will not be overly discouraging for you. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #4881
The
prohibitWrappers()method was added as part of a security advisory but is too strict: it blocks all stream wrappers with multi-character schemes, including legitimate ones likevfs://used by the vfsStream testing library.This adds
File::allowStreamWrappers(["vfs"])to selectively whitelist specific wrappers. The existing default behavior (blocking all multi-character schemes) is preserved.