diff options
21 files changed, 1074 insertions, 204 deletions
@@ -3,6 +3,8 @@ PHP NEWS ?? ??? 201?, PHP 5.5.0 - General improvements: + . Add simplified password hashing API + (https://wiki.php.net/rfc/password_hash). (Anthony Ferrara) . Add generators and coroutines (https://wiki.php.net/rfc/generators). (Nikita Popov) . Support list in foreach (https://wiki.php.net/rfc/foreachlist). (Laruence) @@ -84,4 +86,8 @@ PHP NEWS - Zip: . Upgraded libzip to 0.10.1 (Anatoliy) +- Fileinfo: + . Fixed bug #63248 (Load multiple magic files from a directory under Windows). + (Anatoliy) + <<< NOTE: Insert NEWS from last stable release here prior to actual release! >>> diff --git a/ext/fileinfo/config.w32 b/ext/fileinfo/config.w32 index 46b87b56dc..873a12c2f4 100644 --- a/ext/fileinfo/config.w32 +++ b/ext/fileinfo/config.w32 @@ -4,22 +4,16 @@ ARG_ENABLE("fileinfo", "fileinfo support", "no"); if (PHP_FILEINFO != 'no') { - if (CHECK_HEADER_ADD_INCLUDE("dirent.h", "CFLAGS_FILEINFO") && - CHECK_LIB("dirent_a.lib", "fileinfo", PHP_FILEINFO)) { - LIBMAGIC_SOURCES=" apprentice.c apptype.c ascmagic.c \ - cdf.c cdf_time.c compress.c \ - encoding.c fsmagic.c funcs.c \ - is_tar.c magic.c print.c \ - readcdf.c readelf.c softmagic.c"; + LIBMAGIC_SOURCES=" apprentice.c apptype.c ascmagic.c \ + cdf.c cdf_time.c compress.c \ + encoding.c fsmagic.c funcs.c \ + is_tar.c magic.c print.c \ + readcdf.c readelf.c softmagic.c"; - if (VCVERS < 1500) { - ADD_FLAG('CFLAGS', '/Zm1000'); - } + if (VCVERS < 1500) { + ADD_FLAG('CFLAGS', '/Zm1000'); + } - EXTENSION('fileinfo', 'fileinfo.c', true, "/I" + configure_module_dirname + "/libmagic /I" + configure_module_dirname); - ADD_SOURCES(configure_module_dirname + '\\libmagic', LIBMAGIC_SOURCES, "fileinfo"); - } else { - WARNING("fileinfo not enabled; libraries and headers not found"); - PHP_FILEINFO = "no"; - } + EXTENSION('fileinfo', 'fileinfo.c', true, "/I" + configure_module_dirname + "/libmagic /I" + configure_module_dirname); + ADD_SOURCES(configure_module_dirname + '\\libmagic', LIBMAGIC_SOURCES, "fileinfo"); } diff --git a/ext/fileinfo/libmagic.patch b/ext/fileinfo/libmagic.patch index 15f6a6dadd..ecb178ffa9 100644 --- a/ext/fileinfo/libmagic.patch +++ b/ext/fileinfo/libmagic.patch @@ -1,6 +1,6 @@ diff -u libmagic.origin/apprentice.c libmagic/apprentice.c ---- libmagic.origin/apprentice.c 2012-09-11 11:09:26.000000000 +0800 -+++ libmagic/apprentice.c 2012-09-11 11:36:51.000000000 +0800 +--- libmagic.origin/apprentice.c Sat Dec 17 18:17:18 2011 ++++ libmagic/apprentice.c Tue Oct 16 10:21:49 2012 @@ -29,6 +29,8 @@ * apprentice - make one pass through /etc/magic, learning its secrets. */ @@ -10,7 +10,7 @@ diff -u libmagic.origin/apprentice.c libmagic/apprentice.c #include "file.h" #ifndef lint -@@ -36,18 +38,34 @@ +@@ -36,18 +38,31 @@ #endif /* lint */ #include "magic.h" @@ -43,13 +43,11 @@ diff -u libmagic.origin/apprentice.c libmagic/apprentice.c -#ifdef QUICK -#include <sys/mman.h> -#endif -+#ifndef PHP_WIN32 - #include <dirent.h> -+#endif +-#include <dirent.h> #define EATAB {while (isascii((unsigned char) *l) && \ isspace((unsigned char) *l)) ++l;} -@@ -112,12 +130,10 @@ +@@ -112,12 +127,10 @@ private int parse_strength(struct magic_set *, struct magic_entry *, const char *); private int parse_apple(struct magic_set *, struct magic_entry *, const char *); @@ -62,7 +60,7 @@ diff -u libmagic.origin/apprentice.c libmagic/apprentice.c private struct { const char *name; size_t len; -@@ -131,38 +147,7 @@ +@@ -131,38 +144,7 @@ { NULL, 0, NULL } }; @@ -102,7 +100,7 @@ diff -u libmagic.origin/apprentice.c libmagic/apprentice.c static const struct type_tbl_s { const char name[16]; -@@ -218,6 +203,10 @@ +@@ -218,6 +200,10 @@ # undef XX_NULL }; @@ -113,7 +111,7 @@ diff -u libmagic.origin/apprentice.c libmagic/apprentice.c private int get_type(const char *l, const char **t) { -@@ -275,15 +264,17 @@ +@@ -275,15 +261,17 @@ if (rv != 0) return -1; rv = apprentice_compile(ms, &magic, &nmagic, fn); @@ -136,7 +134,7 @@ diff -u libmagic.origin/apprentice.c libmagic/apprentice.c if (rv != 0) return -1; } -@@ -295,11 +286,7 @@ +@@ -295,11 +283,7 @@ return -1; } @@ -149,7 +147,7 @@ diff -u libmagic.origin/apprentice.c libmagic/apprentice.c ml->magic = magic; ml->nmagic = nmagic; -@@ -318,7 +305,6 @@ +@@ -318,7 +302,6 @@ } return 0; @@ -157,7 +155,7 @@ diff -u libmagic.origin/apprentice.c libmagic/apprentice.c } protected void -@@ -327,22 +313,18 @@ +@@ -327,22 +310,18 @@ if (p == NULL) return; switch (type) { @@ -186,7 +184,7 @@ diff -u libmagic.origin/apprentice.c libmagic/apprentice.c default: abort(); } -@@ -355,23 +337,27 @@ +@@ -355,23 +334,27 @@ char *p, *mfn; int file_err, errs = -1; struct mlist *mlist; @@ -223,7 +221,7 @@ diff -u libmagic.origin/apprentice.c libmagic/apprentice.c mlist->next = mlist->prev = mlist; while (fn) { -@@ -385,13 +371,13 @@ +@@ -385,13 +368,13 @@ fn = p; } if (errs == -1) { @@ -240,7 +238,7 @@ diff -u libmagic.origin/apprentice.c libmagic/apprentice.c return mlist; } -@@ -524,6 +510,7 @@ +@@ -524,6 +507,7 @@ abort(); } @@ -248,7 +246,7 @@ diff -u libmagic.origin/apprentice.c libmagic/apprentice.c /* * Magic entries with no description get a bonus because they depend * on subsequent magic entries to print something. -@@ -539,8 +526,8 @@ +@@ -539,8 +523,8 @@ private int apprentice_sort(const void *a, const void *b) { @@ -259,7 +257,7 @@ diff -u libmagic.origin/apprentice.c libmagic/apprentice.c size_t sa = apprentice_magic_strength(ma->mp); size_t sb = apprentice_magic_strength(mb->mp); if (sa == sb) -@@ -671,12 +658,22 @@ +@@ -671,12 +655,22 @@ load_1(struct magic_set *ms, int action, const char *fn, int *errs, struct magic_entry **marray, uint32_t *marraycount) { @@ -286,7 +284,7 @@ diff -u libmagic.origin/apprentice.c libmagic/apprentice.c if (errno != ENOENT) file_error(ms, errno, "cannot read magic file `%s'", fn); -@@ -684,9 +681,12 @@ +@@ -684,9 +678,12 @@ return; } @@ -302,7 +300,7 @@ diff -u libmagic.origin/apprentice.c libmagic/apprentice.c if (len == 0) /* null line, garbage, etc */ continue; if (line[len - 1] == '\n') { -@@ -736,8 +736,7 @@ +@@ -736,8 +733,7 @@ break; } } @@ -312,7 +310,7 @@ diff -u libmagic.origin/apprentice.c libmagic/apprentice.c } /* -@@ -754,23 +753,19 @@ +@@ -754,23 +750,21 @@ apprentice_load(struct magic_set *ms, struct magic **magicp, uint32_t *nmagicp, const char *fn, int action) { @@ -325,8 +323,12 @@ diff -u libmagic.origin/apprentice.c libmagic/apprentice.c + size_t files = 0, maxfiles = 0; + char **filearr = NULL; struct stat st; - DIR *dir; - struct dirent *d; +- DIR *dir; +- struct dirent *d; ++ php_stream *dir; ++ php_stream_dirent d; ++ ++ TSRMLS_FETCH(); ms->flags |= MAGIC_CHECK; /* Enable checks for parsed files */ @@ -341,28 +343,33 @@ diff -u libmagic.origin/apprentice.c libmagic/apprentice.c marraycount = 0; /* print silly verbose header for USG compat. */ -@@ -778,14 +773,18 @@ +@@ -778,22 +772,26 @@ (void)fprintf(stderr, "%s\n", usg_hdr); /* load directory or file */ - if (stat(fn, &st) == 0 && S_ISDIR(st.st_mode)) { +- dir = opendir(fn); + /* FIXME: Read file names and sort them to prevent + non-determinism. See Debian bug #488562. */ + if (php_sys_stat(fn, &st) == 0 && S_ISDIR(st.st_mode)) { -+ int mflen; -+ char mfn[MAXPATHLEN]; - dir = opendir(fn); ++ int mflen; ++ char mfn[MAXPATHLEN]; ++ ++ dir = php_stream_opendir(fn, REPORT_ERRORS, NULL); if (!dir) { errs++; goto out; } - while ((d = readdir(dir)) != NULL) { +- while ((d = readdir(dir)) != NULL) { - if (asprintf(&mfn, "%s/%s", fn, d->d_name) < 0) { -+ if ((mflen = snprintf(mfn, sizeof(mfn), "%s/%s", fn, d->d_name)) < 0) { ++ while (php_stream_readdir(dir, &d)) { ++ if ((mflen = snprintf(mfn, sizeof(mfn), "%s/%s", fn, d.d_name)) < 0) { file_oomem(ms, - strlen(fn) + strlen(d->d_name) + 2); +- strlen(fn) + strlen(d->d_name) + 2); ++ strlen(fn) + strlen(d.d_name) + 2); errs++; -@@ -793,7 +792,6 @@ +- closedir(dir); ++ php_stream_closedir(dir); goto out; } if (stat(mfn, &st) == -1 || !S_ISREG(st.st_mode)) { @@ -375,7 +382,8 @@ diff -u libmagic.origin/apprentice.c libmagic/apprentice.c realloc(filearr, mlen))) == NULL) { file_oomem(ms, mlen); - free(mfn); - closedir(dir); +- closedir(dir); ++ php_stream_closedir(dir); errs++; goto out; } @@ -383,7 +391,8 @@ diff -u libmagic.origin/apprentice.c libmagic/apprentice.c - filearr[files++] = mfn; + filearr[files++] = estrndup(mfn, (mflen > sizeof(mfn) - 1)? sizeof(mfn) - 1: mflen); } - closedir(dir); +- closedir(dir); ++ php_stream_closedir(dir); qsort(filearr, files, sizeof(*filearr), cmpstrp); for (i = 0; i < files; i++) { load_1(ms, action, filearr[i], &errs, &marray, @@ -512,7 +521,7 @@ diff -u libmagic.origin/apprentice.c libmagic/apprentice.c m->mimetype[0] = '\0'; /* initialise MIME type to none */ if (m->cont_level == 0) ++(*nmentryp); /* make room for next */ -@@ -2195,56 +2180,69 @@ +@@ -2195,56 +2180,79 @@ /* * handle a compiled file. @@ -543,6 +552,16 @@ diff -u libmagic.origin/apprentice.c libmagic/apprentice.c + ret = 3; + goto internal_loaded; + } ++ ++#ifdef PHP_WIN32 ++ /* Don't bother on windows with php_stream_open_wrapper, ++ return to give apprentice_load() a chance. */ ++ if (php_stream_stat_path_ex(fn, 0, &st, NULL) == SUCCESS) { ++ if (st.sb.st_mode & S_IFDIR) { ++ goto error2; ++ } ++ } ++#endif dbname = mkdbname(ms, fn, 0); if (dbname == NULL) @@ -605,7 +624,7 @@ diff -u libmagic.origin/apprentice.c libmagic/apprentice.c ptr = (uint32_t *)(void *)*magicp; if (*ptr != MAGICNO) { if (swap4(*ptr) != MAGICNO) { -@@ -2259,35 +2257,55 @@ +@@ -2259,35 +2267,55 @@ else version = ptr[1]; if (version != VERSIONNO) { @@ -677,7 +696,7 @@ diff -u libmagic.origin/apprentice.c libmagic/apprentice.c return -1; } -@@ -2301,42 +2319,49 @@ +@@ -2301,42 +2329,49 @@ apprentice_compile(struct magic_set *ms, struct magic **magicp, uint32_t *nmagicp, const char *fn) { @@ -738,7 +757,7 @@ diff -u libmagic.origin/apprentice.c libmagic/apprentice.c return rv; } -@@ -2349,6 +2374,7 @@ +@@ -2349,6 +2384,7 @@ { const char *p, *q; char *buf; @@ -746,7 +765,7 @@ diff -u libmagic.origin/apprentice.c libmagic/apprentice.c if (strip) { if ((p = strrchr(fn, '/')) != NULL) -@@ -2370,14 +2396,14 @@ +@@ -2370,14 +2406,14 @@ q++; /* Compatibility with old code that looked in .mime */ if (ms->flags & MAGIC_MIME) { @@ -765,7 +784,7 @@ diff -u libmagic.origin/apprentice.c libmagic/apprentice.c /* Compatibility with old code that looked in .mime */ if (strstr(p, ".mime") != NULL) -@@ -2467,7 +2493,7 @@ +@@ -2467,7 +2503,7 @@ m->offset = swap4((uint32_t)m->offset); m->in_offset = swap4((uint32_t)m->in_offset); m->lineno = swap4((uint32_t)m->lineno); @@ -775,8 +794,8 @@ diff -u libmagic.origin/apprentice.c libmagic/apprentice.c m->str_flags = swap4(m->str_flags); } diff -u libmagic.origin/ascmagic.c libmagic/ascmagic.c ---- libmagic.origin/ascmagic.c 2012-09-11 11:09:26.000000000 +0800 -+++ libmagic/ascmagic.c 2012-09-11 11:33:55.000000000 +0800 +--- libmagic.origin/ascmagic.c Sat Dec 17 18:17:18 2011 ++++ libmagic/ascmagic.c Tue Apr 10 09:46:33 2012 @@ -139,10 +139,8 @@ /* malloc size is a conservative overestimate; could be improved, or at least realloced after conversion. */ @@ -801,8 +820,8 @@ diff -u libmagic.origin/ascmagic.c libmagic/ascmagic.c return rv; } diff -u libmagic.origin/cdf.c libmagic/cdf.c ---- libmagic.origin/cdf.c 2012-09-11 11:09:26.000000000 +0800 -+++ libmagic/cdf.c 2012-09-11 11:33:55.000000000 +0800 +--- libmagic.origin/cdf.c Mon Feb 20 23:35:29 2012 ++++ libmagic/cdf.c Tue Apr 10 09:46:33 2012 @@ -43,7 +43,17 @@ #include <err.h> #endif @@ -865,8 +884,8 @@ diff -u libmagic.origin/cdf.c libmagic/cdf.c (void)fprintf(stderr, "timestamp %s\n", buf); } else { diff -u libmagic.origin/cdf.h libmagic/cdf.h ---- libmagic.origin/cdf.h 2012-09-11 11:09:26.000000000 +0800 -+++ libmagic/cdf.h 2012-09-11 11:33:55.000000000 +0800 +--- libmagic.origin/cdf.h Fri Feb 17 06:28:31 2012 ++++ libmagic/cdf.h Tue Apr 10 09:46:34 2012 @@ -35,7 +35,7 @@ #ifndef _H_CDF_ #define _H_CDF_ @@ -903,8 +922,8 @@ diff -u libmagic.origin/cdf.h libmagic/cdf.h void cdf_swap_header(cdf_header_t *); void cdf_unpack_header(cdf_header_t *, char *); diff -u libmagic.origin/cdf_time.c libmagic/cdf_time.c ---- libmagic.origin/cdf_time.c 2012-09-11 11:09:26.000000000 +0800 -+++ libmagic/cdf_time.c 2012-09-11 11:33:55.000000000 +0800 +--- libmagic.origin/cdf_time.c Tue Dec 13 14:48:41 2011 ++++ libmagic/cdf_time.c Tue Apr 10 09:46:34 2012 @@ -96,7 +96,7 @@ } @@ -962,8 +981,8 @@ diff -u libmagic.origin/cdf_time.c libmagic/cdf_time.c static const char *ref = "Sat Apr 23 01:30:00 1977"; char *p, *q; diff -u libmagic.origin/compress.c libmagic/compress.c ---- libmagic.origin/compress.c 2012-09-11 11:09:26.000000000 +0800 -+++ libmagic/compress.c 2012-09-11 11:33:55.000000000 +0800 +--- libmagic.origin/compress.c Sat Dec 17 18:17:18 2011 ++++ libmagic/compress.c Tue Apr 10 09:46:34 2012 @@ -32,6 +32,7 @@ * uncompress(method, old, n, newch) - uncompress old into new, * using method, return sizeof new @@ -1124,10 +1143,9 @@ diff -u libmagic.origin/compress.c libmagic/compress.c } -#endif +#endif /* if PHP_FILEINFO_UNCOMPRESS */ -Only in libmagic: diff diff -u libmagic.origin/file.h libmagic/file.h ---- libmagic.origin/file.h 2012-09-11 11:09:26.000000000 +0800 -+++ libmagic/file.h 2012-09-11 11:33:55.000000000 +0800 +--- libmagic.origin/file.h Tue Sep 20 17:30:14 2011 ++++ libmagic/file.h Mon Apr 23 17:58:54 2012 @@ -33,11 +33,9 @@ #ifndef __file_h__ #define __file_h__ @@ -1285,22 +1303,24 @@ diff -u libmagic.origin/file.h libmagic/file.h size_t strlcat(char *dst, const char *src, size_t siz); #endif #ifndef HAVE_GETLINE -@@ -500,4 +487,12 @@ - #define FILE_RCSID(id) +@@ -498,6 +485,14 @@ #endif - + #else + #define FILE_RCSID(id) ++#endif ++ +#ifdef PHP_WIN32 +#define FINFO_LSEEK_FUNC _lseek +#define FINFO_READ_FUNC _read +#else +#define FINFO_LSEEK_FUNC lseek +#define FINFO_READ_FUNC read -+#endif -+ + #endif + #endif /* __file_h__ */ diff -u libmagic.origin/fsmagic.c libmagic/fsmagic.c ---- libmagic.origin/fsmagic.c 2012-09-11 11:09:26.000000000 +0800 -+++ libmagic/fsmagic.c 2012-09-11 11:33:55.000000000 +0800 +--- libmagic.origin/fsmagic.c Tue Aug 23 10:57:10 2011 ++++ libmagic/fsmagic.c Tue Apr 10 09:46:34 2012 @@ -59,27 +59,21 @@ # define minor(dev) ((dev) & 0xff) #endif @@ -1511,10 +1531,10 @@ diff -u libmagic.origin/fsmagic.c libmagic/fsmagic.c -#else - if (file_printf(ms, "block special") == -1) - return -1; --#endif + #endif - } - return 1; - #endif +-#endif - /* TODO add code to handle V7 MUX and Blit MUX files */ + #ifdef S_IFIFO @@ -1624,8 +1644,8 @@ diff -u libmagic.origin/fsmagic.c libmagic/fsmagic.c /* diff -u libmagic.origin/funcs.c libmagic/funcs.c ---- libmagic.origin/funcs.c 2012-09-11 11:09:26.000000000 +0800 -+++ libmagic/funcs.c 2012-09-11 11:33:55.000000000 +0800 +--- libmagic.origin/funcs.c Sat Dec 17 18:17:18 2011 ++++ libmagic/funcs.c Mon Apr 23 17:58:54 2012 @@ -41,52 +41,42 @@ #if defined(HAVE_WCTYPE_H) #include <wctype.h> @@ -1920,8 +1940,8 @@ diff -u libmagic.origin/funcs.c libmagic/funcs.c } + diff -u libmagic.origin/magic.c libmagic/magic.c ---- libmagic.origin/magic.c 2012-09-11 11:09:26.000000000 +0800 -+++ libmagic/magic.c 2012-09-11 11:33:55.000000000 +0800 +--- libmagic.origin/magic.c Thu May 26 03:27:59 2011 ++++ libmagic/magic.c Tue Apr 10 09:46:34 2012 @@ -25,11 +25,6 @@ * SUCH DAMAGE. */ @@ -2298,8 +2318,8 @@ diff -u libmagic.origin/magic.c libmagic/magic.c public const char * magic_error(struct magic_set *ms) diff -u libmagic.origin/magic.h libmagic/magic.h ---- libmagic.origin/magic.h 2012-09-11 11:09:26.000000000 +0800 -+++ libmagic/magic.h 2012-09-11 11:33:55.000000000 +0800 +--- libmagic.origin/magic.h Sun Dec 18 15:54:43 2011 ++++ libmagic/magic.h Tue Apr 10 09:46:34 2012 @@ -85,6 +85,7 @@ const char *magic_getpath(const char *, int); @@ -2317,9 +2337,9 @@ diff -u libmagic.origin/magic.h libmagic/magic.h int magic_errno(magic_t); diff -u libmagic.origin/print.c libmagic/print.c ---- libmagic.origin/print.c 2012-09-11 11:09:26.000000000 +0800 -+++ libmagic/print.c 2012-09-11 11:33:55.000000000 +0800 -@@ -29,6 +29,9 @@ +--- libmagic.origin/print.c Tue Sep 20 17:28:09 2011 ++++ libmagic/print.c Tue Oct 16 10:13:39 2012 +@@ -29,12 +29,16 @@ * print.c - debugging printout routines */ @@ -2329,7 +2349,14 @@ diff -u libmagic.origin/print.c libmagic/print.c #include "file.h" #ifndef lint -@@ -46,174 +49,21 @@ + FILE_RCSID("@(#)$File: print.c,v 1.71 2011/09/20 15:28:09 christos Exp $") + #endif /* lint */ + ++#include <stdio.h> + #include <string.h> + #include <stdarg.h> + #include <stdlib.h> +@@ -45,174 +49,21 @@ #define SZOF(a) (sizeof(a) / sizeof(a[0])) @@ -2512,8 +2539,8 @@ diff -u libmagic.origin/print.c libmagic/print.c protected const char * diff -u libmagic.origin/readcdf.c libmagic/readcdf.c ---- libmagic.origin/readcdf.c 2012-09-11 11:09:26.000000000 +0800 -+++ libmagic/readcdf.c 2012-09-11 11:33:55.000000000 +0800 +--- libmagic.origin/readcdf.c Mon Feb 20 21:04:58 2012 ++++ libmagic/readcdf.c Tue Apr 10 09:46:34 2012 @@ -30,7 +30,11 @@ #endif @@ -2560,8 +2587,8 @@ diff -u libmagic.origin/readcdf.c libmagic/readcdf.c if ((ec = strchr(c, '\n')) != NULL) *ec = '\0'; diff -u libmagic.origin/readelf.c libmagic/readelf.c ---- libmagic.origin/readelf.c 2012-09-11 11:09:26.000000000 +0800 -+++ libmagic/readelf.c 2012-09-11 11:33:55.000000000 +0800 +--- libmagic.origin/readelf.c Tue Aug 23 10:57:10 2011 ++++ libmagic/readelf.c Tue Apr 10 09:46:34 2012 @@ -49,7 +49,7 @@ off_t, int *, int); private int doshn(struct magic_set *, int, int, int, off_t, int, size_t, @@ -2717,8 +2744,8 @@ diff -u libmagic.origin/readelf.c libmagic/readelf.c if (fstat(fd, &st) == -1) { diff -u libmagic.origin/softmagic.c libmagic/softmagic.c ---- libmagic.origin/softmagic.c 2012-09-11 11:09:26.000000000 +0800 -+++ libmagic/softmagic.c 2012-09-11 11:33:55.000000000 +0800 +--- libmagic.origin/softmagic.c Sat Dec 17 18:17:18 2011 ++++ libmagic/softmagic.c Fri May 25 09:59:25 2012 @@ -41,6 +41,11 @@ #include <stdlib.h> #include <time.h> diff --git a/ext/fileinfo/libmagic/apprentice.c b/ext/fileinfo/libmagic/apprentice.c index d11bd159a8..787eb79367 100644 --- a/ext/fileinfo/libmagic/apprentice.c +++ b/ext/fileinfo/libmagic/apprentice.c @@ -63,9 +63,6 @@ FILE_RCSID("@(#)$File: apprentice.c,v 1.173 2011/12/08 12:38:24 rrt Exp $") #include <assert.h> #include <ctype.h> #include <fcntl.h> -#ifndef PHP_WIN32 -#include <dirent.h> -#endif #define EATAB {while (isascii((unsigned char) *l) && \ isspace((unsigned char) *l)) ++l;} @@ -759,8 +756,10 @@ apprentice_load(struct magic_set *ms, struct magic **magicp, uint32_t *nmagicp, size_t files = 0, maxfiles = 0; char **filearr = NULL; struct stat st; - DIR *dir; - struct dirent *d; + php_stream *dir; + php_stream_dirent d; + + TSRMLS_FETCH(); ms->flags |= MAGIC_CHECK; /* Enable checks for parsed files */ @@ -776,19 +775,20 @@ apprentice_load(struct magic_set *ms, struct magic **magicp, uint32_t *nmagicp, /* FIXME: Read file names and sort them to prevent non-determinism. See Debian bug #488562. */ if (php_sys_stat(fn, &st) == 0 && S_ISDIR(st.st_mode)) { - int mflen; - char mfn[MAXPATHLEN]; - dir = opendir(fn); + int mflen; + char mfn[MAXPATHLEN]; + + dir = php_stream_opendir(fn, REPORT_ERRORS, NULL); if (!dir) { errs++; goto out; } - while ((d = readdir(dir)) != NULL) { - if ((mflen = snprintf(mfn, sizeof(mfn), "%s/%s", fn, d->d_name)) < 0) { + while (php_stream_readdir(dir, &d)) { + if ((mflen = snprintf(mfn, sizeof(mfn), "%s/%s", fn, d.d_name)) < 0) { file_oomem(ms, - strlen(fn) + strlen(d->d_name) + 2); + strlen(fn) + strlen(d.d_name) + 2); errs++; - closedir(dir); + php_stream_closedir(dir); goto out; } if (stat(mfn, &st) == -1 || !S_ISREG(st.st_mode)) { @@ -801,14 +801,14 @@ apprentice_load(struct magic_set *ms, struct magic **magicp, uint32_t *nmagicp, if ((filearr = CAST(char **, realloc(filearr, mlen))) == NULL) { file_oomem(ms, mlen); - closedir(dir); + php_stream_closedir(dir); errs++; goto out; } } filearr[files++] = estrndup(mfn, (mflen > sizeof(mfn) - 1)? sizeof(mfn) - 1: mflen); } - closedir(dir); + php_stream_closedir(dir); qsort(filearr, files, sizeof(*filearr), cmpstrp); for (i = 0; i < files; i++) { load_1(ms, action, filearr[i], &errs, &marray, @@ -2206,6 +2206,16 @@ apprentice_map(struct magic_set *ms, struct magic **magicp, uint32_t *nmagicp, goto internal_loaded; } +#ifdef PHP_WIN32 + /* Don't bother on windows with php_stream_open_wrapper, + return to give apprentice_load() a chance. */ + if (php_stream_stat_path_ex(fn, 0, &st, NULL) == SUCCESS) { + if (st.sb.st_mode & S_IFDIR) { + goto error2; + } + } +#endif + dbname = mkdbname(ms, fn, 0); if (dbname == NULL) goto error2; diff --git a/ext/standard/basic_functions.c b/ext/standard/basic_functions.c index a2d236c9df..a30579e143 100644 --- a/ext/standard/basic_functions.c +++ b/ext/standard/basic_functions.c @@ -1854,6 +1854,25 @@ ZEND_END_ARG_INFO() ZEND_BEGIN_ARG_INFO(arginfo_getlastmod, 0) ZEND_END_ARG_INFO() /* }}} */ +/* {{{ password.c */ +ZEND_BEGIN_ARG_INFO_EX(arginfo_password_hash, 0, 0, 2) + ZEND_ARG_INFO(0, password) + ZEND_ARG_INFO(0, algo) + ZEND_ARG_INFO(0, options) +ZEND_END_ARG_INFO() +ZEND_BEGIN_ARG_INFO_EX(arginfo_password_get_info, 0, 0, 1) + ZEND_ARG_INFO(0, hash) +ZEND_END_ARG_INFO() +ZEND_BEGIN_ARG_INFO_EX(arginfo_password_needs_rehash, 0, 0, 2) + ZEND_ARG_INFO(0, hash) + ZEND_ARG_INFO(0, algo) + ZEND_ARG_INFO(0, options) +ZEND_END_ARG_INFO() +ZEND_BEGIN_ARG_INFO_EX(arginfo_password_verify, 0, 0, 2) + ZEND_ARG_INFO(0, password) + ZEND_ARG_INFO(0, hash) +ZEND_END_ARG_INFO() +/* }}} */ /* {{{ proc_open.c */ #ifdef PHP_CAN_SUPPORT_PROC_OPEN ZEND_BEGIN_ARG_INFO_EX(arginfo_proc_terminate, 0, 0, 1) @@ -2864,6 +2883,10 @@ const zend_function_entry basic_functions[] = { /* {{{ */ PHP_FE(base64_decode, arginfo_base64_decode) PHP_FE(base64_encode, arginfo_base64_encode) + PHP_FE(password_hash, arginfo_password_hash) + PHP_FE(password_get_info, arginfo_password_get_info) + PHP_FE(password_needs_rehash, arginfo_password_needs_rehash) + PHP_FE(password_verify, arginfo_password_verify) PHP_FE(convert_uuencode, arginfo_convert_uuencode) PHP_FE(convert_uudecode, arginfo_convert_uudecode) @@ -3614,6 +3637,7 @@ PHP_MINIT_FUNCTION(basic) /* {{{ */ BASIC_MINIT_SUBMODULE(browscap) BASIC_MINIT_SUBMODULE(standard_filters) BASIC_MINIT_SUBMODULE(user_filters) + BASIC_MINIT_SUBMODULE(password) #if defined(HAVE_LOCALECONV) && defined(ZTS) BASIC_MINIT_SUBMODULE(localeconv) diff --git a/ext/standard/config.m4 b/ext/standard/config.m4 index c33ae1e05c..fba423b191 100644 --- a/ext/standard/config.m4 +++ b/ext/standard/config.m4 @@ -580,7 +580,7 @@ PHP_NEW_EXTENSION(standard, array.c base64.c basic_functions.c browscap.c crc32. incomplete_class.c url_scanner_ex.c ftp_fopen_wrapper.c \ http_fopen_wrapper.c php_fopen_wrapper.c credits.c css.c \ var_unserializer.c ftok.c sha1.c user_filters.c uuencode.c \ - filters.c proc_open.c streamsfuncs.c http.c) + filters.c proc_open.c streamsfuncs.c http.c password.c) PHP_ADD_MAKEFILE_FRAGMENT PHP_INSTALL_HEADERS([ext/standard/]) diff --git a/ext/standard/config.w32 b/ext/standard/config.w32 index d14b859e9d..5f24641b4d 100644 --- a/ext/standard/config.w32 +++ b/ext/standard/config.w32 @@ -19,7 +19,7 @@ EXTENSION("standard", "array.c base64.c basic_functions.c browscap.c \ versioning.c assert.c strnatcmp.c levenshtein.c incomplete_class.c \ url_scanner_ex.c ftp_fopen_wrapper.c http_fopen_wrapper.c \ php_fopen_wrapper.c credits.c css.c var_unserializer.c ftok.c sha1.c \ - user_filters.c uuencode.c filters.c proc_open.c \ + user_filters.c uuencode.c filters.c proc_open.c password.c \ streamsfuncs.c http.c flock_compat.c", false /* never shared */); PHP_INSTALL_HEADERS("", "ext/standard"); if (PHP_MBREGEX != "no") { diff --git a/ext/standard/crypt.c b/ext/standard/crypt.c index 27a8d82d0e..3b443fc4d5 100644 --- a/ext/standard/crypt.c +++ b/ext/standard/crypt.c @@ -145,44 +145,9 @@ static void php_to64(char *s, long v, int n) /* {{{ */ } /* }}} */ -/* {{{ proto string crypt(string str [, string salt]) - Hash a string */ -PHP_FUNCTION(crypt) +PHPAPI int php_crypt(const char *password, const int pass_len, const char *salt, int salt_len, char **result) { - char salt[PHP_MAX_SALT_LEN + 1]; - char *str, *salt_in = NULL; - int str_len, salt_in_len = 0; char *crypt_res; - salt[0] = salt[PHP_MAX_SALT_LEN] = '\0'; - - /* This will produce suitable results if people depend on DES-encryption - * available (passing always 2-character salt). At least for glibc6.1 */ - memset(&salt[1], '$', PHP_MAX_SALT_LEN - 1); - - if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|s", &str, &str_len, &salt_in, &salt_in_len) == FAILURE) { - return; - } - - if (salt_in) { - memcpy(salt, salt_in, MIN(PHP_MAX_SALT_LEN, salt_in_len)); - } - - /* The automatic salt generation covers standard DES, md5-crypt and Blowfish (simple) */ - if (!*salt) { -#if PHP_MD5_CRYPT - strncpy(salt, "$1$", PHP_MAX_SALT_LEN); - php_to64(&salt[3], PHP_CRYPT_RAND, 4); - php_to64(&salt[7], PHP_CRYPT_RAND, 4); - strncpy(&salt[11], "$", PHP_MAX_SALT_LEN - 11); -#elif PHP_STD_DES_CRYPT - php_to64(&salt[0], PHP_CRYPT_RAND, 2); - salt[2] = '\0'; -#endif - salt_in_len = strlen(salt); - } else { - salt_in_len = MIN(PHP_MAX_SALT_LEN, salt_in_len); - } - /* Windows (win32/crypt) has a stripped down version of libxcrypt and a CryptoApi md5_crypt implementation */ #if PHP_USE_PHP_CRYPT_R @@ -190,55 +155,44 @@ PHP_FUNCTION(crypt) struct php_crypt_extended_data buffer; if (salt[0]=='$' && salt[1]=='1' && salt[2]=='$') { - char output[MD5_HASH_MAX_LEN]; + char output[MD5_HASH_MAX_LEN], *out; - RETURN_STRING(php_md5_crypt_r(str, salt, output), 1); + out = php_md5_crypt_r(password, salt, output); + if (out) { + *result = estrdup(out); + return SUCCESS; + } + return FAILURE; } else if (salt[0]=='$' && salt[1]=='6' && salt[2]=='$') { - const char sha512_salt_prefix[] = "$6$"; - const char sha512_rounds_prefix[] = "rounds="; char *output; - int needed = (sizeof(sha512_salt_prefix) - 1 - + sizeof(sha512_rounds_prefix) + 9 + 1 - + salt_in_len + 1 + 86 + 1); - output = emalloc(needed); - salt[salt_in_len] = '\0'; + output = emalloc(PHP_MAX_SALT_LEN); - crypt_res = php_sha512_crypt_r(str, salt, output, needed); + crypt_res = php_sha512_crypt_r(password, salt, output, PHP_MAX_SALT_LEN); if (!crypt_res) { - if (salt[0]=='*' && salt[1]=='0') { - RETVAL_STRING("*1", 1); - } else { - RETVAL_STRING("*0", 1); - } + memset(output, 0, PHP_MAX_SALT_LEN); + efree(output); + return FAILURE; } else { - RETVAL_STRING(output, 1); + *result = estrdup(output); + memset(output, 0, PHP_MAX_SALT_LEN); + efree(output); + return SUCCESS; } - - memset(output, 0, needed); - efree(output); } else if (salt[0]=='$' && salt[1]=='5' && salt[2]=='$') { - const char sha256_salt_prefix[] = "$5$"; - const char sha256_rounds_prefix[] = "rounds="; char *output; - int needed = (sizeof(sha256_salt_prefix) - 1 - + sizeof(sha256_rounds_prefix) + 9 + 1 - + salt_in_len + 1 + 43 + 1); - output = emalloc(needed); - salt[salt_in_len] = '\0'; + output = emalloc(PHP_MAX_SALT_LEN); - crypt_res = php_sha256_crypt_r(str, salt, output, needed); + crypt_res = php_sha256_crypt_r(password, salt, output, PHP_MAX_SALT_LEN); if (!crypt_res) { - if (salt[0]=='*' && salt[1]=='0') { - RETVAL_STRING("*1", 1); - } else { - RETVAL_STRING("*0", 1); - } + memset(output, 0, PHP_MAX_SALT_LEN); + efree(output); + return FAILURE; } else { - RETVAL_STRING(output, 1); + *result = estrdup(output); + memset(output, 0, PHP_MAX_SALT_LEN); + efree(output); + return SUCCESS; } - - memset(output, 0, needed); - efree(output); } else if ( salt[0] == '$' && salt[1] == '2' && @@ -251,31 +205,25 @@ PHP_FUNCTION(crypt) memset(output, 0, PHP_MAX_SALT_LEN + 1); - crypt_res = php_crypt_blowfish_rn(str, salt, output, sizeof(output)); + crypt_res = php_crypt_blowfish_rn(password, salt, output, sizeof(output)); if (!crypt_res) { - if (salt[0]=='*' && salt[1]=='0') { - RETVAL_STRING("*1", 1); - } else { - RETVAL_STRING("*0", 1); - } + memset(output, 0, PHP_MAX_SALT_LEN + 1); + return FAILURE; } else { - RETVAL_STRING(output, 1); + *result = estrdup(output); + memset(output, 0, PHP_MAX_SALT_LEN + 1); + return SUCCESS; } - - memset(output, 0, PHP_MAX_SALT_LEN + 1); } else { memset(&buffer, 0, sizeof(buffer)); _crypt_extended_init_r(); - crypt_res = _crypt_extended_r(str, salt, &buffer); + crypt_res = _crypt_extended_r(password, salt, &buffer); if (!crypt_res) { - if (salt[0]=='*' && salt[1]=='0') { - RETURN_STRING("*1", 1); - } else { - RETURN_STRING("*0", 1); - } + return FAILURE; } else { - RETURN_STRING(crypt_res, 1); + *result = estrdup(crypt_res); + return SUCCESS; } } } @@ -291,21 +239,68 @@ PHP_FUNCTION(crypt) # else # error Data struct used by crypt_r() is unknown. Please report. # endif - crypt_res = crypt_r(str, salt, &buffer); + crypt_res = crypt_r(password, salt, &buffer); if (!crypt_res) { - if (salt[0]=='*' && salt[1]=='0') { - RETURN_STRING("*1", 1); - } else { - RETURN_STRING("*0", 1); - } + return FAILURE; } else { - RETURN_STRING(crypt_res, 1); + *result = estrdup(crypt_res); + return SUCCESS; } } # endif #endif } /* }}} */ + + +/* {{{ proto string crypt(string str [, string salt]) + Hash a string */ +PHP_FUNCTION(crypt) +{ + char salt[PHP_MAX_SALT_LEN + 1]; + char *str, *salt_in = NULL, *result = NULL; + int str_len, salt_in_len = 0; + salt[0] = salt[PHP_MAX_SALT_LEN] = '\0'; + + /* This will produce suitable results if people depend on DES-encryption + * available (passing always 2-character salt). At least for glibc6.1 */ + memset(&salt[1], '$', PHP_MAX_SALT_LEN - 1); + + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|s", &str, &str_len, &salt_in, &salt_in_len) == FAILURE) { + return; + } + + if (salt_in) { + memcpy(salt, salt_in, MIN(PHP_MAX_SALT_LEN, salt_in_len)); + } + + /* The automatic salt generation covers standard DES, md5-crypt and Blowfish (simple) */ + if (!*salt) { +#if PHP_MD5_CRYPT + strncpy(salt, "$1$", PHP_MAX_SALT_LEN); + php_to64(&salt[3], PHP_CRYPT_RAND, 4); + php_to64(&salt[7], PHP_CRYPT_RAND, 4); + strncpy(&salt[11], "$", PHP_MAX_SALT_LEN - 11); +#elif PHP_STD_DES_CRYPT + php_to64(&salt[0], PHP_CRYPT_RAND, 2); + salt[2] = '\0'; +#endif + salt_in_len = strlen(salt); + } else { + salt_in_len = MIN(PHP_MAX_SALT_LEN, salt_in_len); + } + salt[salt_in_len] = '\0'; + + if (php_crypt(str, str_len, salt, salt_in_len, &result) == FAILURE) { + if (salt[0] == '*' && salt[1] == '0') { + RETURN_STRING("*1", 1); + } else { + RETURN_STRING("*0", 1); + } + } + RETURN_STRING(result, 0); +} +/* }}} */ #endif /* diff --git a/ext/standard/password.c b/ext/standard/password.c new file mode 100644 index 0000000000..266ad0a421 --- /dev/null +++ b/ext/standard/password.c @@ -0,0 +1,460 @@ +/* + +----------------------------------------------------------------------+ + | PHP Version 5 | + +----------------------------------------------------------------------+ + | Copyright (c) 1997-2012 The PHP Group | + +----------------------------------------------------------------------+ + | This source file is subject to version 3.01 of the PHP license, | + | that is bundled with this package in the file LICENSE, and is | + | available through the world-wide-web at the following url: | + | http://www.php.net/license/3_01.txt | + | If you did not receive a copy of the PHP license and are unable to | + | obtain it through the world-wide-web, please send a note to | + | license@php.net so we can mail you a copy immediately. | + +----------------------------------------------------------------------+ + | Authors: Anthony Ferrara <ircmaxell@php.net> | + +----------------------------------------------------------------------+ +*/ + +/* $Id$ */ + +#include <stdlib.h> + +#include "php.h" +#if HAVE_CRYPT + +#include "fcntl.h" +#include "php_password.h" +#include "php_rand.h" +#include "php_crypt.h" +#include "base64.h" +#include "zend_interfaces.h" +#include "info.h" + +#if PHP_WIN32 +#include "win32/winutil.h" +#endif + +PHP_MINIT_FUNCTION(password) /* {{{ */ +{ + REGISTER_LONG_CONSTANT("PASSWORD_DEFAULT", PHP_PASSWORD_DEFAULT, CONST_CS | CONST_PERSISTENT); + REGISTER_LONG_CONSTANT("PASSWORD_BCRYPT", PHP_PASSWORD_BCRYPT, CONST_CS | CONST_PERSISTENT); + + REGISTER_LONG_CONSTANT("PASSWORD_BCRYPT_DEFAULT_COST", PHP_PASSWORD_BCRYPT_COST, CONST_CS | CONST_PERSISTENT); + + return SUCCESS; +} +/* }}} */ + +static char* php_password_get_algo_name(const php_password_algo algo) +{ + switch (algo) { + case PHP_PASSWORD_BCRYPT: + return "bcrypt"; + case PHP_PASSWORD_UNKNOWN: + default: + return "unknown"; + } +} + +static php_password_algo php_password_determine_algo(const char *hash, const size_t len) +{ + if (len > 3 && hash[0] == '$' && hash[1] == '2' && hash[2] == 'y' && len == 60) { + return PHP_PASSWORD_BCRYPT; + } + + return PHP_PASSWORD_UNKNOWN; +} + +static zend_bool php_password_salt_is_alphabet(const char *str, const size_t len) /* {{{ */ +{ + size_t i = 0; + + for (i = 0; i < len; i++) { + if (!((str[i] >= 'A' && str[i] <= 'Z') || (str[i] >= 'a' && str[i] <= 'z') || (str[i] >= '0' && str[i] <= '9') || str[i] == '.' || str[i] == '/')) { + return 0; + } + } + return 1; +} +/* }}} */ + +static zend_bool php_password_salt_to64(const char *str, const size_t str_len, const size_t out_len, char *ret) /* {{{ */ +{ + size_t pos = 0; + size_t ret_len = 0; + unsigned char *buffer; + if ((int) str_len < 0) { + return FAILURE; + } + buffer = php_base64_encode((unsigned char*) str, (int) str_len, (int*) &ret_len); + if (ret_len < out_len) { + /* Too short of an encoded string generated */ + efree(buffer); + return FAILURE; + } + for (pos = 0; pos < out_len; pos++) { + if (buffer[pos] == '+') { + ret[pos] = '.'; + } else if (buffer[pos] == '=') { + efree(buffer); + return FAILURE; + } else { + ret[pos] = buffer[pos]; + } + } + efree(buffer); + return SUCCESS; +} +/* }}} */ + +static zend_bool php_password_make_salt(size_t length, char *ret TSRMLS_DC) /* {{{ */ +{ + int buffer_valid = 0; + size_t i, raw_length; + char *buffer; + char *result; + + if (length > (INT_MAX / 3)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Length is too large to safely generate"); + return FAILURE; + } + + raw_length = length * 3 / 4 + 1; + + buffer = (char *) safe_emalloc(raw_length, 1, 1); + +#if PHP_WIN32 + { + BYTE *iv_b = (BYTE *) buffer; + if (php_win32_get_random_bytes(iv_b, raw_length) == SUCCESS) { + buffer_valid = 1; + } + } +#else + { + int fd, n; + size_t read_bytes = 0; + fd = open("/dev/urandom", O_RDONLY); + if (fd >= 0) { + while (read_bytes < raw_length) { + n = read(fd, buffer + read_bytes, raw_length - read_bytes); + if (n < 0) { + break; + } + read_bytes += (size_t) n; + } + close(fd); + } + if (read_bytes >= raw_length) { + buffer_valid = 1; + } + } +#endif + if (!buffer_valid) { + for (i = 0; i < raw_length; i++) { + buffer[i] ^= (char) (255.0 * php_rand(TSRMLS_C) / RAND_MAX); + } + } + + result = safe_emalloc(length, 1, 1); + if (php_password_salt_to64(buffer, raw_length, length, result) == FAILURE) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Generated salt too short"); + efree(buffer); + efree(result); + return FAILURE; + } + memcpy(ret, result, (int) length); + efree(result); + efree(buffer); + ret[length] = 0; + return SUCCESS; +} +/* }}} */ + +PHP_FUNCTION(password_get_info) +{ + php_password_algo algo; + int hash_len; + char *hash, *algo_name; + zval *options; + + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &hash, &hash_len) == FAILURE) { + return; + } + + if (hash_len < 0 || (size_t) hash_len < 0) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Supplied password hash too long to safely identify"); + RETURN_FALSE; + } + + ALLOC_INIT_ZVAL(options); + array_init(options); + + algo = php_password_determine_algo(hash, (size_t) hash_len); + algo_name = php_password_get_algo_name(algo); + + switch (algo) { + case PHP_PASSWORD_BCRYPT: + { + long cost = PHP_PASSWORD_BCRYPT_COST; + sscanf(hash, "$2y$%ld$", &cost); + add_assoc_long(options, "cost", cost); + } + break; + case PHP_PASSWORD_UNKNOWN: + default: + break; + } + + array_init(return_value); + + add_assoc_long(return_value, "algo", algo); + add_assoc_string(return_value, "algoName", algo_name, 1); + add_assoc_zval(return_value, "options", options); +} + +PHP_FUNCTION(password_needs_rehash) +{ + long new_algo = 0; + php_password_algo algo; + int hash_len; + char *hash; + HashTable *options = 0; + zval **option_buffer; + + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "sl|H", &hash, &hash_len, &new_algo, &options) == FAILURE) { + return; + } + + if (hash_len < 0) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Supplied password hash too long to safely identify"); + RETURN_FALSE; + } + + algo = php_password_determine_algo(hash, (size_t) hash_len); + + if (algo != new_algo) { + RETURN_TRUE; + } + + switch (algo) { + case PHP_PASSWORD_BCRYPT: + { + long new_cost = PHP_PASSWORD_BCRYPT_COST, cost = 0; + + if (options && zend_symtable_find(options, "cost", sizeof("cost"), (void **) &option_buffer) == SUCCESS) { + if (Z_TYPE_PP(option_buffer) != IS_LONG) { + zval cast_option_buffer; + MAKE_COPY_ZVAL(option_buffer, &cast_option_buffer); + convert_to_long(&cast_option_buffer); + new_cost = Z_LVAL(cast_option_buffer); + zval_dtor(&cast_option_buffer); + } else { + new_cost = Z_LVAL_PP(option_buffer); + } + } + + sscanf(hash, "$2y$%ld$", &cost); + if (cost != new_cost) { + RETURN_TRUE; + } + } + break; + case PHP_PASSWORD_UNKNOWN: + default: + break; + } + RETURN_FALSE; +} + +/* {{{ proto boolean password_make_salt(string password, string hash) +Verify a hash created using crypt() or password_hash() */ +PHP_FUNCTION(password_verify) +{ + int status = 0, i; + int password_len, hash_len; + char *ret, *password, *hash; + + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss", &password, &password_len, &hash, &hash_len) == FAILURE) { + RETURN_FALSE; + } + if (php_crypt(password, password_len, hash, hash_len, &ret) == FAILURE) { + RETURN_FALSE; + } + + if (strlen(ret) != hash_len || hash_len < 13) { + efree(ret); + RETURN_FALSE; + } + + /* We're using this method instead of == in order to provide + * resistence towards timing attacks. This is a constant time + * equality check that will always check every byte of both + * values. */ + for (i = 0; i < hash_len; i++) { + status |= (ret[i] ^ hash[i]); + } + + efree(ret); + + RETURN_BOOL(status == 0); + +} +/* }}} */ + +/* {{{ proto string password_hash(string password, int algo, array options = array()) +Hash a password */ +PHP_FUNCTION(password_hash) +{ + char *hash_format, *hash, *salt, *password, *result; + long algo = 0; + int password_len = 0, hash_len; + size_t salt_len = 0, required_salt_len = 0, hash_format_len; + HashTable *options = 0; + zval **option_buffer; + + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "sl|H", &password, &password_len, &algo, &options) == FAILURE) { + return; + } + + switch (algo) { + case PHP_PASSWORD_BCRYPT: + { + long cost = PHP_PASSWORD_BCRYPT_COST; + + if (options && zend_symtable_find(options, "cost", 5, (void **) &option_buffer) == SUCCESS) { + if (Z_TYPE_PP(option_buffer) != IS_LONG) { + zval cast_option_buffer; + MAKE_COPY_ZVAL(option_buffer, &cast_option_buffer); + convert_to_long(&cast_option_buffer); + cost = Z_LVAL(cast_option_buffer); + zval_dtor(&cast_option_buffer); + } else { + cost = Z_LVAL_PP(option_buffer); + } + } + + if (cost < 4 || cost > 31) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid bcrypt cost parameter specified: %ld", cost); + RETURN_NULL(); + } + + required_salt_len = 22; + hash_format = emalloc(8); + sprintf(hash_format, "$2y$%02ld$", cost); + hash_format_len = 7; + } + break; + case PHP_PASSWORD_UNKNOWN: + default: + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unknown password hashing algorithm: %ld", algo); + RETURN_NULL(); + } + + if (options && zend_symtable_find(options, "salt", 5, (void**) &option_buffer) == SUCCESS) { + char *buffer; + int buffer_len_int = 0; + size_t buffer_len; + switch (Z_TYPE_PP(option_buffer)) { + case IS_STRING: + buffer = estrndup(Z_STRVAL_PP(option_buffer), Z_STRLEN_PP(option_buffer)); + buffer_len_int = Z_STRLEN_PP(option_buffer); + break; + case IS_LONG: + case IS_DOUBLE: + case IS_OBJECT: { + zval cast_option_buffer; + MAKE_COPY_ZVAL(option_buffer, &cast_option_buffer); + convert_to_string(&cast_option_buffer); + if (Z_TYPE(cast_option_buffer) == IS_STRING) { + buffer = estrndup(Z_STRVAL(cast_option_buffer), Z_STRLEN(cast_option_buffer)); + buffer_len_int = Z_STRLEN(cast_option_buffer); + zval_dtor(&cast_option_buffer); + break; + } + zval_dtor(&cast_option_buffer); + } + case IS_BOOL: + case IS_NULL: + case IS_RESOURCE: + case IS_ARRAY: + default: + efree(hash_format); + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Non-string salt parameter supplied"); + RETURN_NULL(); + } + if (buffer_len_int < 0) { + efree(hash_format); + efree(buffer); + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Supplied salt is too long"); + } + buffer_len = (size_t) buffer_len_int; + if (buffer_len < required_salt_len) { + efree(hash_format); + efree(buffer); + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Provided salt is too short: %lu expecting %lu", (unsigned long) buffer_len, (unsigned long) required_salt_len); + RETURN_NULL(); + } else if (0 == php_password_salt_is_alphabet(buffer, buffer_len)) { + salt = safe_emalloc(required_salt_len, 1, 1); + if (php_password_salt_to64(buffer, buffer_len, required_salt_len, salt) == FAILURE) { + efree(hash_format); + efree(buffer); + efree(salt); + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Provided salt is too short: %lu", (unsigned long) buffer_len); + RETURN_NULL(); + } + salt_len = required_salt_len; + } else { + salt = safe_emalloc(required_salt_len, 1, 1); + memcpy(salt, buffer, (int) required_salt_len); + salt_len = required_salt_len; + } + efree(buffer); + } else { + salt = safe_emalloc(required_salt_len, 1, 1); + if (php_password_make_salt(required_salt_len, salt TSRMLS_CC) == FAILURE) { + efree(hash_format); + efree(salt); + RETURN_FALSE; + } + salt_len = required_salt_len; + } + + salt[salt_len] = 0; + + hash = safe_emalloc(salt_len + hash_format_len, 1, 1); + sprintf(hash, "%s%s", hash_format, salt); + hash[hash_format_len + salt_len] = 0; + + efree(hash_format); + efree(salt); + + /* This cast is safe, since both values are defined here in code and cannot overflow */ + hash_len = (int) (hash_format_len + salt_len); + + if (php_crypt(password, password_len, hash, hash_len, &result) == FAILURE) { + efree(hash); + RETURN_FALSE; + } + + efree(hash); + + if (strlen(result) < 13) { + efree(result); + RETURN_FALSE; + } + + RETURN_STRING(result, 0); +} +/* }}} */ + +#endif /* HAVE_CRYPT */ +/* + * Local variables: + * tab-width: 4 + * c-basic-offset: 4 + * End: + * vim600: sw=4 ts=4 fdm=marker + * vim<600: sw=4 ts=4 + */ diff --git a/ext/standard/php_crypt.h b/ext/standard/php_crypt.h index 93b232896a..7410a8c328 100644 --- a/ext/standard/php_crypt.h +++ b/ext/standard/php_crypt.h @@ -23,6 +23,7 @@ #ifndef PHP_CRYPT_H #define PHP_CRYPT_H +PHPAPI int php_crypt(const char *password, const int pass_len, const char *salt, int salt_len, char **result); PHP_FUNCTION(crypt); #if HAVE_CRYPT PHP_MINIT_FUNCTION(crypt); diff --git a/ext/standard/php_password.h b/ext/standard/php_password.h new file mode 100644 index 0000000000..079f187703 --- /dev/null +++ b/ext/standard/php_password.h @@ -0,0 +1,48 @@ +/* + +----------------------------------------------------------------------+ + | PHP Version 5 | + +----------------------------------------------------------------------+ + | Copyright (c) 1997-2012 The PHP Group | + +----------------------------------------------------------------------+ + | This source file is subject to version 3.01 of the PHP license, | + | that is bundled with this package in the file LICENSE, and is | + | available through the world-wide-web at the following url: | + | http://www.php.net/license/3_01.txt | + | If you did not receive a copy of the PHP license and are unable to | + | obtain it through the world-wide-web, please send a note to | + | license@php.net so we can mail you a copy immediately. | + +----------------------------------------------------------------------+ + | Authors: Anthony Ferrara <ircmaxell@php.net> | + +----------------------------------------------------------------------+ +*/ + +/* $Id$ */ + +#ifndef PHP_PASSWORD_H +#define PHP_PASSWORD_H + +PHP_FUNCTION(password_hash); +PHP_FUNCTION(password_verify); +PHP_FUNCTION(password_needs_rehash); +PHP_FUNCTION(password_get_info); + +PHP_MINIT_FUNCTION(password); + +#define PHP_PASSWORD_DEFAULT PHP_PASSWORD_BCRYPT + +#define PHP_PASSWORD_BCRYPT_COST 10 + +typedef enum { + PHP_PASSWORD_UNKNOWN, + PHP_PASSWORD_BCRYPT +} php_password_algo; + +#endif + + +/* + * Local variables: + * tab-width: 4 + * c-basic-offset: 4 + * End: + */ diff --git a/ext/standard/php_standard.h b/ext/standard/php_standard.h index 483dbc33bc..bccfebe543 100644 --- a/ext/standard/php_standard.h +++ b/ext/standard/php_standard.h @@ -58,6 +58,7 @@ #include "php_versioning.h" #include "php_ftok.h" #include "php_type.h" +#include "php_password.h" #define phpext_standard_ptr basic_functions_module_ptr PHP_MINIT_FUNCTION(standard_filters); diff --git a/ext/standard/tests/password/password_bcrypt_errors.phpt b/ext/standard/tests/password/password_bcrypt_errors.phpt new file mode 100644 index 0000000000..2548c9accb --- /dev/null +++ b/ext/standard/tests/password/password_bcrypt_errors.phpt @@ -0,0 +1,39 @@ +--TEST-- +Test error operation of password_hash() with bcrypt hashing +--FILE-- +<?php +//-=-=-=- + +var_dump(password_hash("foo", PASSWORD_BCRYPT, array("cost" => 3))); + +var_dump(password_hash("foo", PASSWORD_BCRYPT, array("cost" => 32))); + +var_dump(password_hash("foo", PASSWORD_BCRYPT, array("salt" => "foo"))); + +var_dump(password_hash("foo", PASSWORD_BCRYPT, array("salt" => "123456789012345678901"))); + +var_dump(password_hash("foo", PASSWORD_BCRYPT, array("salt" => 123))); + +var_dump(password_hash("foo", PASSWORD_BCRYPT, array("cost" => "foo"))); + +?> +--EXPECTF-- +Warning: password_hash(): Invalid bcrypt cost parameter specified: 3 in %s on line %d +NULL + +Warning: password_hash(): Invalid bcrypt cost parameter specified: 32 in %s on line %d +NULL + +Warning: password_hash(): Provided salt is too short: 3 expecting 22 in %s on line %d +NULL + +Warning: password_hash(): Provided salt is too short: 21 expecting 22 in %s on line %d +NULL + +Warning: password_hash(): Provided salt is too short: 3 expecting 22 in %s on line %d +NULL + +Warning: password_hash(): Invalid bcrypt cost parameter specified: 0 in %s on line %d +NULL + + diff --git a/ext/standard/tests/password/password_get_info.phpt b/ext/standard/tests/password/password_get_info.phpt new file mode 100644 index 0000000000..4c8dc04ff8 --- /dev/null +++ b/ext/standard/tests/password/password_get_info.phpt @@ -0,0 +1,58 @@ +--TEST-- +Test normal operation of password_get_info() +--FILE-- +<?php +//-=-=-=- +// Test Bcrypt +var_dump(password_get_info('$2y$10$MTIzNDU2Nzg5MDEyMzQ1Nej0NmcAWSLR.oP7XOR9HD/vjUuOj100y')); +// Test Bcrypt Cost +var_dump(password_get_info('$2y$11$MTIzNDU2Nzg5MDEyMzQ1Nej0NmcAWSLR.oP7XOR9HD/vjUuOj100y')); +// Test Bcrypt Invalid Length +var_dump(password_get_info('$2y$11$MTIzNDU2Nzg5MDEyMzQ1Nej0NmcAWSLR.oP7XOR9HD/vjUuOj100')); +// Test Non-Bcrypt +var_dump(password_get_info('$1$rasmusle$rISCgZzpwk3UhDidwXvin0')); + +echo "OK!"; +?> +--EXPECT-- +array(3) { + ["algo"]=> + int(1) + ["algoName"]=> + string(6) "bcrypt" + ["options"]=> + array(1) { + ["cost"]=> + int(10) + } +} +array(3) { + ["algo"]=> + int(1) + ["algoName"]=> + string(6) "bcrypt" + ["options"]=> + array(1) { + ["cost"]=> + int(11) + } +} +array(3) { + ["algo"]=> + int(0) + ["algoName"]=> + string(7) "unknown" + ["options"]=> + array(0) { + } +} +array(3) { + ["algo"]=> + int(0) + ["algoName"]=> + string(7) "unknown" + ["options"]=> + array(0) { + } +} +OK! diff --git a/ext/standard/tests/password/password_get_info_error.phpt b/ext/standard/tests/password/password_get_info_error.phpt new file mode 100644 index 0000000000..af676744c8 --- /dev/null +++ b/ext/standard/tests/password/password_get_info_error.phpt @@ -0,0 +1,17 @@ +--TEST-- +Test error operation of password_get_info() +--FILE-- +<?php +//-=-=-=- +var_dump(password_get_info()); +var_dump(password_get_info(array())); + +echo "OK!"; +?> +--EXPECTF-- +Warning: password_get_info() expects exactly 1 parameter, 0 given in %s on line %d +NULL + +Warning: password_get_info() expects parameter 1 to be string, array given in %s on line %d +NULL +OK! diff --git a/ext/standard/tests/password/password_hash.phpt b/ext/standard/tests/password/password_hash.phpt new file mode 100644 index 0000000000..f59d3d5e48 --- /dev/null +++ b/ext/standard/tests/password/password_hash.phpt @@ -0,0 +1,25 @@ +--TEST-- +Test normal operation of password_hash() +--FILE-- +<?php +//-=-=-=- + +var_dump(strlen(password_hash("foo", PASSWORD_BCRYPT))); + +$hash = password_hash("foo", PASSWORD_BCRYPT); + +var_dump($hash === crypt("foo", $hash)); + +var_dump(password_hash("rasmuslerdorf", PASSWORD_BCRYPT, array("cost" => 7, "salt" => "usesomesillystringforsalt"))); + +var_dump(password_hash("test", PASSWORD_BCRYPT, array("salt" => "123456789012345678901" . chr(0)))); + +echo "OK!"; +?> +--EXPECT-- +int(60) +bool(true) +string(60) "$2y$07$usesomesillystringfore2uDLvp1Ii2e./U9C8sBjqp8I90dH6hi" +string(60) "$2y$10$MTIzNDU2Nzg5MDEyMzQ1Nej0NmcAWSLR.oP7XOR9HD/vjUuOj100y" +OK! + diff --git a/ext/standard/tests/password/password_hash_error.phpt b/ext/standard/tests/password/password_hash_error.phpt new file mode 100644 index 0000000000..952250cb30 --- /dev/null +++ b/ext/standard/tests/password/password_hash_error.phpt @@ -0,0 +1,48 @@ +--TEST-- +Test error operation of password_hash() +--FILE-- +<?php +//-=-=-=- + +var_dump(password_hash()); + +var_dump(password_hash("foo")); + +var_dump(password_hash("foo", array())); + +var_dump(password_hash("foo", 19, new StdClass)); + +var_dump(password_hash("foo", PASSWORD_BCRYPT, "baz")); + +var_dump(password_hash(array(), PASSWORD_BCRYPT)); + +var_dump(password_hash("123", PASSWORD_BCRYPT, array("salt" => array()))); + +/* Non-string salt, checking for memory leaks */ +var_dump(password_hash('123', PASSWORD_BCRYPT, array('salt' => 1234))); + +?> +--EXPECTF-- +Warning: password_hash() expects at least 2 parameters, 0 given in %s on line %d +NULL + +Warning: password_hash() expects at least 2 parameters, 1 given in %s on line %d +NULL + +Warning: password_hash() expects parameter 2 to be long, array given in %s on line %d +NULL + +Warning: password_hash(): Unknown password hashing algorithm: 19 in %s on line %d +NULL + +Warning: password_hash() expects parameter 3 to be array, string given in %s on line %d +NULL + +Warning: password_hash() expects parameter 1 to be string, array given in %s on line %d +NULL + +Warning: password_hash(): Non-string salt parameter supplied in %s on line %d +NULL + +Warning: password_hash(): Provided salt is too short: 4 expecting 22 in %s on line %d +NULL diff --git a/ext/standard/tests/password/password_needs_rehash.phpt b/ext/standard/tests/password/password_needs_rehash.phpt new file mode 100644 index 0000000000..734729e63d --- /dev/null +++ b/ext/standard/tests/password/password_needs_rehash.phpt @@ -0,0 +1,45 @@ +--TEST-- +Test normal operation of password_needs_rehash() +--FILE-- +<?php +//-=-=-=- + +// Invalid Hash, always rehash +var_dump(password_needs_rehash('', PASSWORD_BCRYPT)); + +// Valid, as it's an unknown algorithm +var_dump(password_needs_rehash('', 0)); + +// Valid with cost the same +var_dump(password_needs_rehash('$2y$10$MTIzNDU2Nzg5MDEyMzQ1Nej0NmcAWSLR.oP7XOR9HD/vjUuOj100y', PASSWORD_BCRYPT, array('cost' => 10))); + +// Valid with cost the same, additional params +var_dump(password_needs_rehash('$2y$10$MTIzNDU2Nzg5MDEyMzQ1Nej0NmcAWSLR.oP7XOR9HD/vjUuOj100y', PASSWORD_BCRYPT, array('cost' => 10, 'foo' => 3))); + +// Invalid, different (lower) cost +var_dump(password_needs_rehash('$2y$10$MTIzNDU2Nzg5MDEyMzQ1Nej0NmcAWSLR.oP7XOR9HD/vjUuOj100y', PASSWORD_BCRYPT, array('cost' => 09))); + +// Invalid, different (higher) cost +var_dump(password_needs_rehash('$2y$10$MTIzNDU2Nzg5MDEyMzQ1Nej0NmcAWSLR.oP7XOR9HD/vjUuOj100y', PASSWORD_BCRYPT, array('cost' => 11))); + +// Valid with cost the default +$cost = str_pad(PASSWORD_BCRYPT_DEFAULT_COST, 2, '0', STR_PAD_LEFT); +var_dump(password_needs_rehash('$2y$'.$cost.'$MTIzNDU2Nzg5MDEyMzQ1Nej0NmcAWSLR.oP7XOR9HD/vjUuOj100y', PASSWORD_BCRYPT)); + +// Should Issue Needs Rehash, Since Foo is cast to 0... +var_dump(password_needs_rehash('$2y$10$MTIzNDU2Nzg5MDEyMzQ1Nej0NmcAWSLR.oP7XOR9HD/vjUuOj100y', PASSWORD_BCRYPT, array('cost' => 'foo'))); + + + +echo "OK!"; +?> +--EXPECT-- +bool(true) +bool(false) +bool(false) +bool(false) +bool(true) +bool(true) +bool(false) +bool(true) +OK! diff --git a/ext/standard/tests/password/password_needs_rehash_error.phpt b/ext/standard/tests/password/password_needs_rehash_error.phpt new file mode 100644 index 0000000000..e25ef8db3f --- /dev/null +++ b/ext/standard/tests/password/password_needs_rehash_error.phpt @@ -0,0 +1,33 @@ +--TEST-- +Test error operation of password_needs_rehash() +--FILE-- +<?php +//-=-=-=- +var_dump(password_needs_rehash()); + +var_dump(password_needs_rehash('')); + +var_dump(password_needs_rehash('', "foo")); + +var_dump(password_needs_rehash(array(), 1)); + +var_dump(password_needs_rehash("", 1, "foo")); + +echo "OK!"; +?> +--EXPECTF-- +Warning: password_needs_rehash() expects at least 2 parameters, 0 given in %s on line %d +NULL + +Warning: password_needs_rehash() expects at least 2 parameters, 1 given in %s on line %d +NULL + +Warning: password_needs_rehash() expects parameter 2 to be long, string given in %s on line %d +NULL + +Warning: password_needs_rehash() expects parameter 1 to be string, array given in %s on line %d +NULL + +Warning: password_needs_rehash() expects parameter 3 to be array, string given in %s on line %d +NULL +OK! diff --git a/ext/standard/tests/password/password_verify.phpt b/ext/standard/tests/password/password_verify.phpt new file mode 100644 index 0000000000..e7ecc7edd3 --- /dev/null +++ b/ext/standard/tests/password/password_verify.phpt @@ -0,0 +1,21 @@ +--TEST-- +Test normal operation of password_verify) +--FILE-- +<?php +//-=-=-=- + +var_dump(password_verify(123, 123)); + +var_dump(password_verify("foo", '$2a$07$usesomesillystringforsalt$')); + +var_dump(password_verify('rasmusler', '$2a$07$usesomesillystringfore2uDLvp1Ii2e./U9C8sBjqp8I90dH6hi')); + +var_dump(password_verify('rasmuslerdorf', '$2a$07$usesomesillystringfore2uDLvp1Ii2e./U9C8sBjqp8I90dH6hi')); +echo "OK!"; +?> +--EXPECT-- +bool(false) +bool(false) +bool(false) +bool(true) +OK! diff --git a/ext/standard/tests/password/password_verify_error.phpt b/ext/standard/tests/password/password_verify_error.phpt new file mode 100644 index 0000000000..3e653fa04e --- /dev/null +++ b/ext/standard/tests/password/password_verify_error.phpt @@ -0,0 +1,18 @@ +--TEST-- +Test error operation of password_verify() +--FILE-- +<?php +//-=-=-=- + +var_dump(password_verify()); + +var_dump(password_verify("foo")); + +?> +--EXPECTF-- +Warning: password_verify() expects exactly 2 parameters, 0 given in %s on line %d +bool(false) + +Warning: password_verify() expects exactly 2 parameters, 1 given in %s on line %d +bool(false) + |