GeoIP "geoip2.phar" don't work with Joomla 3.9.3

[jurihahn]

Steps to reproduce the issue

Create library for Joomla with files
geoip2.phar from https://github.com/maxmind/GeoIP2-php
"geoip.php":
include_once('geoip2.phar');

use
jimport('libraryname.geoip');

Expected result

No exceptions, all works as with Joomla 3.9.2

Actual result

Exception:
Failed opening required 'phar://geoip2.phar/vendor/autoload.php

System information (as much as possible)

Joomla 3.9.3
PHP 7.2

Additional comments

i think it is after this fix:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7743

[jurihahn]

i found this https://www.drupal.org/project/drupal/issues/3028265
i think Drupal have same problem

[jurihahn]

This is quick path:

diff --git a/libraries/vendor/typo3/phar-stream-wrapper/src/Interceptor/PharExtensionInterceptor.php b/libraries/vendor/typo3/phar-stream-wrapper/src/Interceptor/PharExtensionInterceptor.php
index db500af..e53c141 100644
--- a/libraries/vendor/typo3/phar-stream-wrapper/src/Interceptor/PharExtensionInterceptor.php
+++ b/libraries/vendor/typo3/phar-stream-wrapper/src/Interceptor/PharExtensionInterceptor.php
@@ -27,6 +27,10 @@
      */
     public function assert($path, $command)
     {
+        if (preg_match('/^phar:\/\/[a-zA-Z0-9_]+\.phar\/.+\.php$/', $path) === 1) {
+            // Lightweight way to whitelist phar aliases, if they contain ".phar" extension
+            return TRUE;
+        }
         if ($this->baseFileContainsPharExtension($path)) {
             return true;
         }

[mbabker]

See TYPO3/phar-stream-wrapper#15 for upstream fix

Patching third party files is only a solution for a temporary fix, this type of change cannot be allowed in the CMS.

[mbabker]

Also as pointed out in https://www.drupal.org/project/drupal/issues/3026443 and related conversation, that patch is actually pretty likely to re-introduce security issues.

[jurihahn]

yes, this is just quick solution that work for me. Without this solution my service dont work... Gets Joomla update with fix in version 3.9.4?

[mbabker]

It depends on when the upstream fix is released. The quick fix that you suggested though should not be included in a release because it re-introduces a similar issue that adding that library tries to solve (basically if you're rolling with that patch you're suggesting on a production site you need to be pretty darn certain that no other PHAR files are able to get into your environment, or you should roll a temporary patch that explicitly whitelists only that PHAR).

[HLeithner]

@jurihahn maybe you can help test TYPO3/phar-stream-wrapper#15 and give the typo3 devs feedback if it works.

3.9.4 release is planned for 12. March so it should be ready a week before.

[HLeithner]

@mbabker can you give @jurihahn some advice how to test the typo3 PR please?

[mbabker]

Quickest thing I can come up with is apply the changes from that repo's src directory to the files in libraries/vendor/typo3/phar-stream-wrapper/src in a Joomla install. There isn't a quick and simple diff to apply and unless you really want to mess with Composer stuff that's probably the easiest choice. You could try mangling the diff from https://patch-diff.githubusercontent.com/raw/TYPO3/phar-stream-wrapper/pull/15.diff to apply to a Joomla install (remove the README and tests directory changes), but no guarantees on that working.

[joomla-cms-bot]

Set to "closed" on behalf of @Quy by The JTracker Application at issues.joomla.org/joomla-cms/23907

[Quy]

Please test PR #23956

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/23907.}