Bump typo3/phar-stream-wrapper library version to v2.1.2 to remove fileinfo extension dependency

What command(s) are you using to update? I am curious about the PHP version. Is fileinfo a listed extension at /admin/reports/status/php?

In comparing this library upgrade from v.2.0.1 to v2.1.1, which is what this security release is, there is a new usage of \finfo, which is actually now a requirement for Drupal 8.

This isn't actually the only thing in vendor that may use finfo so this isn't totally new:

$ git grep -l 'finfo('
vendor/consolidation/robo/src/Task/Archive/Extract.php
vendor/drush/drush/includes/drush.inc
vendor/symfony/http-foundation/File/File.php
vendor/symfony/http-foundation/File/MimeType/FileinfoMimeTypeGuesser.php
vendor/typo3/phar-stream-wrapper/src/Phar/Reader.php

According to php.net this extension is compiled in since PHP 5.3 so I am changing this to a support request.

I'm seeing similar behaviour on a drupal 7.x site.

The site works post upgrade to 7.67 however drush fails. Update was done via drush.

I've upgraded a number of sites today and not seen this behaviour - however this site is isn't running on our standard server config.

The initial error is

Error: Uncaught Error: Call to undefined function cache_get() in [web_root]/includes/module.inc:767

Error,[!message] => Class 'finfo' not found,[%function] => TYPO3\PharStreamWrapper\Phar\Reader->determineFileType(),[%file] => [web_root]/misc/typo3/phar-stream-wrapper/src/Phar/Reader.php,[%line] => 15

I've updated drush to 8.2.3, and bumped the default php version at the command line to 7.2 to match the site php version.
I've inserted some debugging code as per https://drupal.stackexchange.com/questions/43971/fatal-error-call-to-und...
which enabled me to isolate the finfo issue.

The line in question ([web_root]/misc/typo3/phar-stream-wrapper/src/Phar/Reader.php:155

        $fileInfo = new \finfo();

Runs fine when excuted via php -a however fails when using drush php via another pre upgrade copy of the site on the same server.

PHP Fatal error:  Class 'finfo' not found in Psy Shell code on line 1

Hmm.

I've just worked out that there is no "fileinfo support" when viewing phpinfo via /admin/reports/status/php and searching for "fileinfo support" this picks up a result on a site which runs the upgrade fine and fails on this site.

Looks like because this site was using cpanel fileinfo wasn't enabled by default. Having used easy apache to update this it's now working.

I think the assumption as far as Drupal 8's requirements is that compiled-in-by-default extensions are enabled. Yes, these can be disabled in some configurations but fileinfo is needed now. The question from here is whether we need to document this requirement.

Thanks everyone for the reports here. A couple questions for everyone:

1. Does the error occur only when you use Drush?
2. Can you test updating the site manually and check the status report to see if the correct version is reported?
3. If you're comfortable sharing, what hosting provider do you use? Since PHP compiles the extension by default, this means your hosting provider might have made a deliberate decision to disable it. If we find a specific hosting provider in common that will help others encountering this issue.

I do think this is at a minimum a documentation bug; we wouldn't intentionally add a new PHP requirement in a security release if it were Drupal's own code. (Our testbots clearly do use this extension already or testing would have failed.) There might also be some way to mitigate it, especially if this is another Drush-phar-specific issue.

For now I've added this as a known issue in the release notes.

So for 8.7.x the fileinfo extension was required as part of 8.7.0 and not the security release.

composer why ext-fileinfo
typo3/phar-stream-wrapper  v2.1.0  requires  ext-fileinfo (*)

The dependency was added in typo3/phar-stream-wrapper v2.1.0 so was not part of 8.6.x, 8.5.x and 7.x prior to yesterdays security releases.

The exception will occur when a phar is being read so that is most often when drush 8 is being used.

I pinged TYPO3 and they seemed open to an upstream PR to work around the requirement.

An alternative could be `mime_content_type` and if that fails as well, disable mime-type detection

(From @oliver.hader who made their sec release.)

Like @xjm mentioned already... if it makes sense and helps, we can integrate that into upstream of course

I tried to update manually with no errors on ubuntu 16 but this error on Centos 6

Fatal error: Interface 'TYPO3\PharStreamWrapper\Collectable' not found in /var/www/html/misc/typo3/phar-stream-wrapper/src/Resolver/PharInvocationCollection.php on line 17

@newdrupaldev That is a totally different thing. Open a support issue and indicate what you have done to upgrade.

We should add fileinfo to system_requirements() so that it shows properly on install/update and the status report. Also to https://www.drupal.org/docs/8/system-requirements/php-requirements - tagging novice since that should be relatively straightforward to work on.

Bumping back to critical for that though.

I've opened https://github.com/TYPO3/phar-stream-wrapper/pull/33 for an upstream fix. Interestingly the Typo3 CMS is in a similar position to Drupal - looking at https://github.com/TYPO3/TYPO3.CMS/blob/master/composer.json it only suggests the fileinfo extension and does not require it - it does now though with the latest security fixes to the phar package.

Simply add fileinfo in required extensions list.

@oriol_e9g let's try and get this fixed upstream rather than adding a new requirement. We're quite far along - see https://github.com/TYPO3/phar-stream-wrapper/pull/33

Cleaned up the issue summary.

Here's a patch to bump the version to the latest version. For both 8.8.x/8.7.x and 8.6.x/8.5.x

Created an issue for 7.x - #3054615: Bump typo3/phar-stream-wrapper library version to v2.1.2 to remove fileinfo extension dependency

Seems we didn't do the release for 8.5.x so that's okay.

To make reviewing the changes in the upstream library easier - https://github.com/TYPO3/phar-stream-wrapper/compare/v2.1.1...v2.1.2

The patch looks simple and straightforward :)

Committed/pushed to 8.8.x/8.7.x/8.6.x, thanks!