A PHP Function Called Stream_Wrapper_Unregister Disables a Previously Registered URL Wrapper

A php function called stream_wrapper_unregister disables a previously registered URL wrapper. The function can be overridden with a user defined wrapper using the function stream_wrapper_register() or re-enabled later on with the function stream_wrapper_restore().

A stream is a resource object that exhibits streaming behavior; it can be read from or written to in a linear fashion and may be fseek() to arbitrary positions within the stream. Streams are built into PHP by default (see Appendix M). Additional, custom wrappers may be registered within a script using stream_wrapper_register() or via extensions. Wrappers are augmented by contexts which contain various parameters and options which modify the flow of the stream. Contexts are passed to most filesystem related stream creation functions (i.e. fopen(), file(), and file_get_contents()).

In addition to the basic functionality provided by the Zend engine, PHP has 3 main types of function: internal functions which are provided by PHP and installed extensions, user-defined functions which are created in the running script and anonymous functions also known as closures which are executed as part of the scope of the calling script and do not have a defined name. PHP includes a function to disable internal functions if the function is found to be dangerous; however, this directive is only effective against PHP versions prior to PHP 4.3 and cannot be circumvented by extension developers.

When a script uses a function, it is looked up in the PHP function table (function_table) to find its handler. Both internal and user-defined functions are stored in the function table, but only the handler for a specific function will be used when a script calls that function. This is why disabling a function with disable_functions does not stop attacks from exploiting it.

Andreas Behr - CTO of DesertCoderz
You are a developer and looking for Shopware projects?
Apply Now!

stream_wrapper_unregister example

/** @var resource */
    private $handle;
    private string $path;

    public static function require(string $path): array
    {
        if (!\extension_loaded('zlib')) {
            throw new \LogicException(sprintf('The "zlib" extension is required to load the "%s/%s" map, please enable it in your php.ini file.', basename(\dirname($path))basename($path)));
        }

        if (!\function_exists('opcache_is_script_cached') || !@opcache_is_script_cached($path)) {
            stream_wrapper_unregister('file');
            stream_wrapper_register('file', self::class);
        }

        return require $path;
    }

    public function stream_open(string $path, string $mode): bool
    {
        stream_wrapper_restore('file');
        $this->path = $path;

        

  public function unregister() {
    // Normally, there are definitely wrappers set for the ALL filter. However,     // in some cases involving many container rebuilds (e.g. BrowserTestBase),     // $this->wrappers may be empty although wrappers are still registered     // globally. Thus an isset() check is needed before iterating.     if (isset($this->wrappers[StreamWrapperInterface::ALL])) {
      foreach (array_keys($this->wrappers[StreamWrapperInterface::ALL]) as $scheme) {
        stream_wrapper_unregister($scheme);
      }
    }
  }

  /** * {@inheritdoc} */
  public function registerWrapper($scheme$class$type) {
    if (in_array($schemestream_get_wrappers(), TRUE)) {
      stream_wrapper_unregister($scheme);
    }

    
    $this->publicFilesDirectory = $this->siteDirectory . '/files';
    $this->privateFilesDirectory = $this->siteDirectory . '/private';
    $this->tempFilesDirectory = $this->siteDirectory . '/temp';
    $this->translationFilesDirectory = $this->siteDirectory . '/translations';

    // Ensure the configImporter is refreshed for each test.     $this->configImporter = NULL;

    // Unregister all custom stream wrappers of the parent site.     $wrappers = \Drupal::service('stream_wrapper_manager')->getWrappers(StreamWrapperInterface::ALL);
    foreach ($wrappers as $scheme => $info) {
      stream_wrapper_unregister($scheme);
    }

    // Reset statics.     drupal_static_reset();

    $this->container = NULL;

    // Unset globals.     unset($GLOBALS['config']);
    unset($GLOBALS['conf']);

    
private static string $content = '';
    private int $position          = 0;

    public static function setContent(string $content)
    {
        self::$content = $content;
    }

    public static function register()
    {
        stream_wrapper_unregister('php');
        stream_wrapper_register('php', self::class);
    }

    public static function restore()
    {
        stream_wrapper_restore('php');
    }

    public function stream_open(string $path): bool
    {
        return true;
    }
Home | Imprint | This part of the site doesn't use cookies.